[patch 00/50] -stable review

[patch 00/50] -stable review

[Chris Wright]

This is the start of the stable review cycle for the 2.6.19.2 release.
There are 50 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let us know.  If anyone is a maintainer of the proper subsystem, and
wants to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
to add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Mon Jan 8 02:30 UTC.
Anything received after that time might be too late.

thanks,

the -stable release team
--

[patch 01/50] dm-crypt: Select CRYPTO_CBC

[Chris Wright]

[-- Attachment #1: dm-crypt-select-crypto_cbc.patch --]
[-- Type: text/plain, Size: 829 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

As CBC is the default chaining method for cryptoloop, we should select
it from cryptoloop to ease the transition.  Spotted by Rene Herman.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/md/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.19.1.orig/drivers/md/Kconfig
+++ linux-2.6.19.1/drivers/md/Kconfig
@@ -215,6 +215,7 @@ config DM_CRYPT
 	tristate "Crypt target support"
 	depends on BLK_DEV_DM && EXPERIMENTAL
 	select CRYPTO
+	select CRYPTO_CBC
 	---help---
 	  This device-mapper target allows you to create a device that
 	  transparently encrypts the data on it. You'll need to activate

--

[patch 02/50] sha512: Fix sha384 block size

[Chris Wright]

[-- Attachment #1: sha512-fix-sha384-block-size.patch --]
[-- Type: text/plain, Size: 798 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

The SHA384 block size should be 128 bytes, not 96 bytes.  This was
spotted by Andrew Donofrio.

This breaks HMAC which uses the block size during setup and the final
calculation.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 crypto/sha512.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/crypto/sha512.c
+++ linux-2.6.19.1/crypto/sha512.c
@@ -24,7 +24,7 @@
 
 #define SHA384_DIGEST_SIZE 48
 #define SHA512_DIGEST_SIZE 64
-#define SHA384_HMAC_BLOCK_SIZE  96
+#define SHA384_HMAC_BLOCK_SIZE 128
 #define SHA512_HMAC_BLOCK_SIZE 128
 
 struct sha512_ctx {

--

[patch 03/50] read_zero_pagealigned() locking fix

[Chris Wright]

[-- Attachment #1: read_zero_pagealigned-locking-fix.patch --]
[-- Type: text/plain, Size: 4267 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Hugh Dickins <hugh@veritas.com>

Ramiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel
bugzilla 7645.  Right: read_zero_pagealigned uses down_read of mmap_sem,
but another thread's racing read of /dev/zero, or a normal fault, can
easily set that pte again, in between zap_page_range and zeromap_page_range
getting there.  It's been wrong ever since 2.4.3.

The simple fix is to use down_write instead, but that would serialize reads
of /dev/zero more than at present: perhaps some app would be badly
affected.  So instead let zeromap_page_range return the error instead of
BUG_ON, and read_zero_pagealigned break to the slower clear_user loop in
that case - there's no need to optimize for it.

Use -EEXIST for when a pte is found: BUG_ON in mmap_zero (the other user of
zeromap_page_range), though it really isn't interesting there.  And since
mmap_zero wants -EAGAIN for out-of-memory, the zeromaps better return that
than -ENOMEM.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: Ramiro Voicu: <Ramiro.Voicu@cern.ch>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/char/mem.c |   12 ++++++++----
 mm/memory.c        |   32 +++++++++++++++++++++-----------
 2 files changed, 29 insertions(+), 15 deletions(-)

--- linux-2.6.19.1.orig/drivers/char/mem.c
+++ linux-2.6.19.1/drivers/char/mem.c
@@ -646,7 +646,8 @@ static inline size_t read_zero_pagealign
 			count = size;
 
 		zap_page_range(vma, addr, count, NULL);
-        	zeromap_page_range(vma, addr, count, PAGE_COPY);
+        	if (zeromap_page_range(vma, addr, count, PAGE_COPY))
+			break;
 
 		size -= count;
 		buf += count;
@@ -713,11 +714,14 @@ out:
 
 static int mmap_zero(struct file * file, struct vm_area_struct * vma)
 {
+	int err;
+
 	if (vma->vm_flags & VM_SHARED)
 		return shmem_zero_setup(vma);
-	if (zeromap_page_range(vma, vma->vm_start, vma->vm_end - vma->vm_start, vma->vm_page_prot))
-		return -EAGAIN;
-	return 0;
+	err = zeromap_page_range(vma, vma->vm_start,
+			vma->vm_end - vma->vm_start, vma->vm_page_prot);
+	BUG_ON(err == -EEXIST);
+	return err;
 }
 #else /* CONFIG_MMU */
 static ssize_t read_zero(struct file * file, char * buf, 
--- linux-2.6.19.1.orig/mm/memory.c
+++ linux-2.6.19.1/mm/memory.c
@@ -1110,23 +1110,29 @@ static int zeromap_pte_range(struct mm_s
 {
 	pte_t *pte;
 	spinlock_t *ptl;
+	int err = 0;
 
 	pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);
 	if (!pte)
-		return -ENOMEM;
+		return -EAGAIN;
 	arch_enter_lazy_mmu_mode();
 	do {
 		struct page *page = ZERO_PAGE(addr);
 		pte_t zero_pte = pte_wrprotect(mk_pte(page, prot));
+
+		if (unlikely(!pte_none(*pte))) {
+			err = -EEXIST;
+			pte++;
+			break;
+		}
 		page_cache_get(page);
 		page_add_file_rmap(page);
 		inc_mm_counter(mm, file_rss);
-		BUG_ON(!pte_none(*pte));
 		set_pte_at(mm, addr, pte, zero_pte);
 	} while (pte++, addr += PAGE_SIZE, addr != end);
 	arch_leave_lazy_mmu_mode();
 	pte_unmap_unlock(pte - 1, ptl);
-	return 0;
+	return err;
 }
 
 static inline int zeromap_pmd_range(struct mm_struct *mm, pud_t *pud,
@@ -1134,16 +1140,18 @@ static inline int zeromap_pmd_range(stru
 {
 	pmd_t *pmd;
 	unsigned long next;
+	int err;
 
 	pmd = pmd_alloc(mm, pud, addr);
 	if (!pmd)
-		return -ENOMEM;
+		return -EAGAIN;
 	do {
 		next = pmd_addr_end(addr, end);
-		if (zeromap_pte_range(mm, pmd, addr, next, prot))
-			return -ENOMEM;
+		err = zeromap_pte_range(mm, pmd, addr, next, prot);
+		if (err)
+			break;
 	} while (pmd++, addr = next, addr != end);
-	return 0;
+	return err;
 }
 
 static inline int zeromap_pud_range(struct mm_struct *mm, pgd_t *pgd,
@@ -1151,16 +1159,18 @@ static inline int zeromap_pud_range(stru
 {
 	pud_t *pud;
 	unsigned long next;
+	int err;
 
 	pud = pud_alloc(mm, pgd, addr);
 	if (!pud)
-		return -ENOMEM;
+		return -EAGAIN;
 	do {
 		next = pud_addr_end(addr, end);
-		if (zeromap_pmd_range(mm, pud, addr, next, prot))
-			return -ENOMEM;
+		err = zeromap_pmd_range(mm, pud, addr, next, prot);
+		if (err)
+			break;
 	} while (pud++, addr = next, addr != end);
-	return 0;
+	return err;
 }
 
 int zeromap_page_range(struct vm_area_struct *vma,

--

[patch 04/50] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie

[Chris Wright]

[-- Attachment #1: ieee80211softmac-fix-mutex_lock-at-exit-of-ieee80211_softmac_get_genie.patch --]
[-- Type: text/plain, Size: 895 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ulrich Kunitz <kune@deine-taler.de>

ieee80211softmac_wx_get_genie locks the associnfo mutex at
function exit. This patch fixes it. The patch is against Linus'
tree (commit af1713e0).

Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ieee80211/softmac/ieee80211softmac_wx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_wx.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_wx.c
@@ -463,7 +463,7 @@ ieee80211softmac_wx_get_genie(struct net
 			err = -E2BIG;
 	}
 	spin_unlock_irqrestore(&mac->lock, flags);
-	mutex_lock(&mac->associnfo.mutex);
+	mutex_unlock(&mac->associnfo.mutex);
 
 	return err;
 }

--

[patch 05/50] x86-64: Mark rdtsc as sync only for netburst, not for core2

[Chris Wright]

[-- Attachment #1: x86-64-mark-rdtsc-as-sync-only-for-netburst-not-for-core2.patch --]
[-- Type: text/plain, Size: 1678 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Arjan van de Ven <arjan@linux.intel.com>

On the Core2 cpus, the rdtsc instruction is not serializing (as defined
in the architecture reference since rdtsc exists) and due to the deep
speculation of these cores, it's possible that you can observe time go
backwards between cores due to this speculation. Since the kernel
already deals with this with the SYNC_RDTSC flag, the solution is
simple, only assume that the instruction is serializing on family 15...

The price one pays for this is a slightly slower gettimeofday (by a
dozen or two cycles), but that increase is quite small to pay for a
really-going-forward tsc counter.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Commit:     f3d73707a1e84f0687a05144b70b660441e999c7
Author:     Arjan van de Ven <arjan@linux.intel.com>
AuthorDate: Thu Dec 7 02:14:12 2006 +0100

 arch/x86_64/kernel/setup.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- linux-2.6.19.1.orig/arch/x86_64/kernel/setup.c
+++ linux-2.6.19.1/arch/x86_64/kernel/setup.c
@@ -854,7 +854,10 @@ static void __cpuinit init_intel(struct 
 		set_bit(X86_FEATURE_CONSTANT_TSC, &c->x86_capability);
 	if (c->x86 == 6)
 		set_bit(X86_FEATURE_REP_GOOD, &c->x86_capability);
-	set_bit(X86_FEATURE_SYNC_RDTSC, &c->x86_capability);
+	if (c->x86 == 15)
+		set_bit(X86_FEATURE_SYNC_RDTSC, &c->x86_capability);
+	else
+		clear_bit(X86_FEATURE_SYNC_RDTSC, &c->x86_capability);
  	c->x86_max_cores = intel_num_cpu_cores(c);
 
 	srat_detect_node();

--

[patch 06/50] bonding: incorrect bonding state reported via ioctl

[Chris Wright]

[-- Attachment #1: bonding-incorrect-bonding-state-reported-via-ioctl.patch --]
[-- Type: text/plain, Size: 1170 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Andy Gospodarek <andy@greyhouse.net>

This is a small fix-up to finish out the work done by Jay Vosburgh to
add carrier-state support for bonding devices.  The output in
/proc/net/bonding/bondX was correct, but when collecting the same info
via an iotcl it could still be incorrect.

Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/bonding/bond_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/net/bonding/bond_main.c
+++ linux-2.6.19.1/drivers/net/bonding/bond_main.c
@@ -3675,7 +3675,7 @@ static int bond_do_ioctl(struct net_devi
 			mii->val_out = 0;
 			read_lock_bh(&bond->lock);
 			read_lock(&bond->curr_slave_lock);
-			if (bond->curr_active_slave) {
+			if (netif_carrier_ok(bond->dev)) {
 				mii->val_out = BMSR_LSTATUS;
 			}
 			read_unlock(&bond->curr_slave_lock);

--

[patch 07/50] DVB: lgdt330x: fix signal / lock status detection bug

[Chris Wright]

[-- Attachment #1: dvb-lgdt330x-fix-signal-lock-status-detection-bug.patch --]
[-- Type: text/plain, Size: 1524 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Michael Krufky <mkrufky@linuxtv.org>

In some cases when using VSB, the AGC status register has been known to
falsely report "no signal" when in fact there is a carrier lock.  The
datasheet labels these status flags as QAM only, yet the lgdt330x
module is using these flags for both QAM and VSB.

This patch allows for the carrier recovery lock status register to be
tested, even if the agc signal status register falsely reports no signal.

Thanks to jcrews from #linuxtv in irc, for initially reporting this bug.

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---

 drivers/media/dvb/frontends/lgdt330x.c |    6 ------
 1 file changed, 6 deletions(-)

--- linux-2.6.19.1.orig/drivers/media/dvb/frontends/lgdt330x.c
+++ linux-2.6.19.1/drivers/media/dvb/frontends/lgdt330x.c
@@ -435,9 +435,6 @@ static int lgdt3302_read_status(struct d
 		/* Test signal does not exist flag */
 		/* as well as the AGC lock flag.   */
 		*status |= FE_HAS_SIGNAL;
-	} else {
-		/* Without a signal all other status bits are meaningless */
-		return 0;
 	}
 
 	/*
@@ -500,9 +497,6 @@ static int lgdt3303_read_status(struct d
 		/* Test input signal does not exist flag */
 		/* as well as the AGC lock flag.   */
 		*status |= FE_HAS_SIGNAL;
-	} else {
-		/* Without a signal all other status bits are meaningless */
-		return 0;
 	}
 
 	/* Carrier Recovery Lock Status Register */

--

[patch 08/50] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support

[Chris Wright]

[-- Attachment #1: v4l-fix-broken-tuner_lg_ntsc_tape-radio-support.patch --]
[-- Type: text/plain, Size: 2576 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Hans Verkuil <hverkuil@xs4all.nl>

The TUNER_LG_NTSC_TAPE is identical in all respects to the
TUNER_PHILIPS_FM1236_MK3. So use the params struct for the Philips tuner.
Also add this LG_NTSC_TAPE tuner to the switches where radio specific
parameters are set so it behaves like a TUNER_PHILIPS_FM1236_MK3. This
change fixes the radio support for this tuner (the wrong bandswitch byte
was used).

Thanks to Andy Walls <cwalls@radix.net> for finding this bug.

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---

 drivers/media/video/tuner-simple.c |    2 ++
 drivers/media/video/tuner-types.c  |   14 ++------------
 2 files changed, 4 insertions(+), 12 deletions(-)

--- linux-2.6.19.1.orig/drivers/media/video/tuner-simple.c
+++ linux-2.6.19.1/drivers/media/video/tuner-simple.c
@@ -108,6 +108,7 @@ static int tuner_stereo(struct i2c_clien
 		case TUNER_PHILIPS_FM1216ME_MK3:
 		case TUNER_PHILIPS_FM1236_MK3:
 		case TUNER_PHILIPS_FM1256_IH3:
+		case TUNER_LG_NTSC_TAPE:
 			stereo = ((status & TUNER_SIGNAL) == TUNER_STEREO_MK3);
 			break;
 		default:
@@ -421,6 +422,7 @@ static void default_set_radio_freq(struc
 	case TUNER_PHILIPS_FM1216ME_MK3:
 	case TUNER_PHILIPS_FM1236_MK3:
 	case TUNER_PHILIPS_FMD1216ME_MK3:
+	case TUNER_LG_NTSC_TAPE:
 		buffer[3] = 0x19;
 		break;
 	case TUNER_TNF_5335MF:
--- linux-2.6.19.1.orig/drivers/media/video/tuner-types.c
+++ linux-2.6.19.1/drivers/media/video/tuner-types.c
@@ -672,16 +672,6 @@ static struct tuner_params tuner_panason
 	},
 };
 
-/* ------------ TUNER_LG_NTSC_TAPE - LGINNOTEK NTSC ------------ */
-
-static struct tuner_params tuner_lg_ntsc_tape_params[] = {
-	{
-		.type   = TUNER_PARAM_TYPE_NTSC,
-		.ranges = tuner_fm1236_mk3_ntsc_ranges,
-		.count  = ARRAY_SIZE(tuner_fm1236_mk3_ntsc_ranges),
-	},
-};
-
 /* ------------ TUNER_TNF_8831BGFF - Philips PAL ------------ */
 
 static struct tuner_range tuner_tnf_8831bgff_pal_ranges[] = {
@@ -1331,8 +1321,8 @@ struct tunertype tuners[] = {
 	},
 	[TUNER_LG_NTSC_TAPE] = { /* LGINNOTEK NTSC */
 		.name   = "LG NTSC (TAPE series)",
-		.params = tuner_lg_ntsc_tape_params,
-		.count  = ARRAY_SIZE(tuner_lg_ntsc_tape_params),
+		.params = tuner_fm1236_mk3_params,
+		.count  = ARRAY_SIZE(tuner_fm1236_mk3_params),
 	},
 	[TUNER_TNF_8831BGFF] = { /* Philips PAL */
 		.name   = "Tenna TNF 8831 BGFF)",

--

[patch 09/50] Revert "[PATCH] zd1211rw: Removed unneeded packed attributes"

[Chris Wright]

[-- Attachment #1: revert-zd1211rw-removed-unneeded-packed-attributes.patch --]
[-- Type: text/plain, Size: 3198 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: John W. Linville <linville@tuxdriver.com>

This reverts commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7.

Quoth Daniel Drake <dsd@gentoo.org>:

"A user reported that commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7
(Remove unneeded packed attributes) breaks the zd1211rw driver on ARM."

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/wireless/zd1211rw/zd_ieee80211.h |    2 +-
 drivers/net/wireless/zd1211rw/zd_mac.c       |    2 +-
 drivers/net/wireless/zd1211rw/zd_mac.h       |    4 ++--
 drivers/net/wireless/zd1211rw/zd_usb.h       |   14 +++++++-------
 4 files changed, 11 insertions(+), 11 deletions(-)

--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_ieee80211.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_ieee80211.h
@@ -64,7 +64,7 @@ struct cck_plcp_header {
 	u8 service;
 	__le16 length;
 	__le16 crc16;
-};
+} __attribute__((packed));
 
 static inline u8 zd_cck_plcp_header_rate(const struct cck_plcp_header *header)
 {
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -721,7 +721,7 @@ struct zd_rt_hdr {
 	u8  rt_rate;
 	u16 rt_channel;
 	u16 rt_chbitmask;
-};
+} __attribute__((packed));
 
 static void fill_rt_header(void *buffer, struct zd_mac *mac,
 	                   const struct ieee80211_rx_stats *stats,
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.h
@@ -82,7 +82,7 @@ struct zd_ctrlset {
 struct rx_length_info {
 	__le16 length[3];
 	__le16 tag;
-};
+} __attribute__((packed));
 
 #define RX_LENGTH_INFO_TAG		0x697e
 
@@ -93,7 +93,7 @@ struct rx_status {
 	u8 signal_quality_ofdm;
 	u8 decryption_type;
 	u8 frame_status;
-};
+} __attribute__((packed));
 
 /* rx_status field decryption_type */
 #define ZD_RX_NO_WEP	0
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_usb.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_usb.h
@@ -74,17 +74,17 @@ enum control_requests {
 struct usb_req_read_regs {
 	__le16 id;
 	__le16 addr[0];
-};
+} __attribute__((packed));
 
 struct reg_data {
 	__le16 addr;
 	__le16 value;
-};
+} __attribute__((packed));
 
 struct usb_req_write_regs {
 	__le16 id;
 	struct reg_data reg_writes[0];
-};
+} __attribute__((packed));
 
 enum {
 	RF_IF_LE = 0x02,
@@ -101,7 +101,7 @@ struct usb_req_rfwrite {
 	/* RF2595: 24 */
 	__le16 bit_values[0];
 	/* (CR203 & ~(RF_IF_LE | RF_CLK | RF_DATA)) | (bit ? RF_DATA : 0) */
-};
+} __attribute__((packed));
 
 /* USB interrupt */
 
@@ -118,12 +118,12 @@ enum usb_int_flags {
 struct usb_int_header {
 	u8 type;	/* must always be 1 */
 	u8 id;
-};
+} __attribute__((packed));
 
 struct usb_int_regs {
 	struct usb_int_header hdr;
 	struct reg_data regs[0];
-};
+} __attribute__((packed));
 
 struct usb_int_retry_fail {
 	struct usb_int_header hdr;
@@ -131,7 +131,7 @@ struct usb_int_retry_fail {
 	u8 _dummy;
 	u8 addr[ETH_ALEN];
 	u8 ibss_wakeup_dest;
-};
+} __attribute__((packed));
 
 struct read_regs_int {
 	struct completion completion;

--

[patch 10/50] libata: handle 0xff status properly

[Chris Wright]

[-- Attachment #1: libata-handle-0xff-status-properly.patch --]
[-- Type: text/plain, Size: 4601 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Tejun Heo <htejun@gmail.com>

libata waits for !BSY even when the status register reports 0xff.
This causes long boot delays when D8 isn't pulled down properly.  This
patch does the followings.

* don't wait if status register is 0xff in all wait functions

* make ata_busy_sleep() return 0 on success and -errno on failure.
  -ENODEV is returned on 0xff status and -EBUSY on other failures.

* make ata_bus_softreset() succeed on 0xff status.  0xff status is not
  reset failure.  It indicates no device.  This removes unnecessary
  retries on such ports.  Note that the code change assumes unoccupied
  port reporting 0xff status does not produce valid device signature.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Joe Jin <lkmaillist@gmail.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
It fixes a long delay during booting for some hardware.
http://bugs.gentoo.org/157326

 drivers/ata/libata-core.c |   30 ++++++++++++++++++------------
 include/linux/libata.h    |    9 ++++-----
 2 files changed, 22 insertions(+), 17 deletions(-)

--- linux-2.6.19.1.orig/drivers/ata/libata-core.c
+++ linux-2.6.19.1/drivers/ata/libata-core.c
@@ -2325,11 +2325,14 @@ static inline void ata_tf_to_host(struct
  *	Sleep until ATA Status register bit BSY clears,
  *	or a timeout occurs.
  *
- *	LOCKING: None.
+ *	LOCKING:
+ *	Kernel thread context (may sleep).
+ *
+ *	RETURNS:
+ *	0 on success, -errno otherwise.
  */
-
-unsigned int ata_busy_sleep (struct ata_port *ap,
-			     unsigned long tmout_pat, unsigned long tmout)
+int ata_busy_sleep(struct ata_port *ap,
+		   unsigned long tmout_pat, unsigned long tmout)
 {
 	unsigned long timer_start, timeout;
 	u8 status;
@@ -2337,27 +2340,32 @@ unsigned int ata_busy_sleep (struct ata_
 	status = ata_busy_wait(ap, ATA_BUSY, 300);
 	timer_start = jiffies;
 	timeout = timer_start + tmout_pat;
-	while ((status & ATA_BUSY) && (time_before(jiffies, timeout))) {
+	while (status != 0xff && (status & ATA_BUSY) &&
+	       time_before(jiffies, timeout)) {
 		msleep(50);
 		status = ata_busy_wait(ap, ATA_BUSY, 3);
 	}
 
-	if (status & ATA_BUSY)
+	if (status != 0xff && (status & ATA_BUSY))
 		ata_port_printk(ap, KERN_WARNING,
 				"port is slow to respond, please be patient "
 				"(Status 0x%x)\n", status);
 
 	timeout = timer_start + tmout;
-	while ((status & ATA_BUSY) && (time_before(jiffies, timeout))) {
+	while (status != 0xff && (status & ATA_BUSY) &&
+	       time_before(jiffies, timeout)) {
 		msleep(50);
 		status = ata_chk_status(ap);
 	}
 
+	if (status == 0xff)
+		return -ENODEV;
+
 	if (status & ATA_BUSY) {
 		ata_port_printk(ap, KERN_ERR, "port failed to respond "
 				"(%lu secs, Status 0x%x)\n",
 				tmout / HZ, status);
-		return 1;
+		return -EBUSY;
 	}
 
 	return 0;
@@ -2448,10 +2456,8 @@ static unsigned int ata_bus_softreset(st
 	 * the bus shows 0xFF because the odd clown forgets the D7
 	 * pulldown resistor.
 	 */
-	if (ata_check_status(ap) == 0xFF) {
-		ata_port_printk(ap, KERN_ERR, "SRST failed (status 0xFF)\n");
-		return AC_ERR_OTHER;
-	}
+	if (ata_check_status(ap) == 0xFF)
+		return 0;
 
 	ata_bus_post_reset(ap, devmask);
 
--- linux-2.6.19.1.orig/include/linux/libata.h
+++ linux-2.6.19.1/include/linux/libata.h
@@ -744,9 +744,8 @@ extern int ata_scsi_device_suspend(struc
 extern int ata_host_suspend(struct ata_host *host, pm_message_t mesg);
 extern void ata_host_resume(struct ata_host *host);
 extern int ata_ratelimit(void);
-extern unsigned int ata_busy_sleep(struct ata_port *ap,
-				   unsigned long timeout_pat,
-				   unsigned long timeout);
+extern int ata_busy_sleep(struct ata_port *ap,
+			  unsigned long timeout_pat, unsigned long timeout);
 extern void ata_port_queue_task(struct ata_port *ap, void (*fn)(void *),
 				void *data, unsigned long delay);
 extern u32 ata_wait_register(void __iomem *reg, u32 mask, u32 val,
@@ -1061,7 +1060,7 @@ static inline u8 ata_busy_wait(struct at
 		udelay(10);
 		status = ata_chk_status(ap);
 		max--;
-	} while ((status & bits) && (max > 0));
+	} while (status != 0xff && (status & bits) && (max > 0));
 
 	return status;
 }
@@ -1082,7 +1081,7 @@ static inline u8 ata_wait_idle(struct at
 {
 	u8 status = ata_busy_wait(ap, ATA_BUSY | ATA_DRQ, 1000);
 
-	if (status & (ATA_BUSY | ATA_DRQ)) {
+	if (status != 0xff && (status & (ATA_BUSY | ATA_DRQ))) {
 		unsigned long l = ap->ioaddr.status_addr;
 		if (ata_msg_warn(ap))
 			printk(KERN_WARNING "ATA: abnormal status 0x%X on port 0x%lX\n",

--

[patch 11/50] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe

[Chris Wright]

[-- Attachment #1: ieee1394-ohci1394-add-ppc_pmac-platform-code-to-driver-probe.patch --]
[-- Type: text/plain, Size: 2157 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Stefan Richter <stefanr@s5r6.in-berlin.de>

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7431
iBook G3 threw a machine check exception and put the display backlight
to full brightness after ohci1394 was unloaded and reloaded.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[dsd@gentoo.org: also added missing if condition, commit
 63cca59e89892497e95e1e9c7156d3345fb7e2e8]
Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
It fixes a kernel oops which occurs when the ohci1394 driver is reloaded on PPC
http://bugs.gentoo.org/154851

 drivers/ieee1394/ohci1394.c |   21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

--- linux-2.6.19.1.orig/drivers/ieee1394/ohci1394.c
+++ linux-2.6.19.1/drivers/ieee1394/ohci1394.c
@@ -3217,6 +3217,19 @@ static int __devinit ohci1394_pci_probe(
 	struct ti_ohci *ohci;	/* shortcut to currently handled device */
 	resource_size_t ohci_base;
 
+#ifdef CONFIG_PPC_PMAC
+	/* Necessary on some machines if ohci1394 was loaded/ unloaded before */
+	if (machine_is(powermac)) {
+		struct device_node *of_node = pci_device_to_OF_node(dev);
+
+		if (of_node) {
+			pmac_call_feature(PMAC_FTR_1394_CABLE_POWER, of_node,
+					  0, 1);
+			pmac_call_feature(PMAC_FTR_1394_ENABLE, of_node, 0, 1);
+		}
+	}
+#endif /* CONFIG_PPC_PMAC */
+
         if (pci_enable_device(dev))
 		FAIL(-ENXIO, "Failed to enable OHCI hardware");
         pci_set_master(dev);
@@ -3505,11 +3518,9 @@ static void ohci1394_pci_remove(struct p
 #endif
 
 #ifdef CONFIG_PPC_PMAC
-	/* On UniNorth, power down the cable and turn off the chip
-	 * clock when the module is removed to save power on
-	 * laptops. Turning it back ON is done by the arch code when
-	 * pci_enable_device() is called */
-	{
+	/* On UniNorth, power down the cable and turn off the chip clock
+	 * to save power on laptops */
+	if (machine_is(powermac)) {
 		struct device_node* of_node;
 
 		of_node = pci_device_to_OF_node(ohci->dev);

--

[patch 12/50] kbuild: dont put temp files in source

[Chris Wright]

[-- Attachment #1: kbuild-don-t-put-temp-files-in-source.patch --]
[-- Type: text/plain, Size: 2603 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Roman Zippel <zippel@linux-m68k.org>

The as-instr/ld-option need to create temporary files, but create them in the
output directory, when compiling external modules.  Reformat them a bit and
use $(CC) instead of $(AS) as the former is used by kbuild to assemble files.

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Cc: Andi Kleen <ak@suse.de>
Cc: Jan Beulich <jbeulich@novell.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: <jpdenheijer@gmail.com>
Cc: Horst Schirmeier <horst@schirmeier.com>
Cc: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
It fixes building of external modules in a sandboxed environment.
http://bugs.gentoo.org/149307

 scripts/Kbuild.include |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

--- linux-2.6.19.1.orig/scripts/Kbuild.include
+++ linux-2.6.19.1/scripts/Kbuild.include
@@ -56,6 +56,9 @@ endef
 # gcc support functions
 # See documentation in Documentation/kbuild/makefiles.txt
 
+# output directory for tests below
+TMPOUT := $(if $(KBUILD_EXTMOD),$(firstword $(KBUILD_EXTMOD))/)
+
 # as-option
 # Usage: cflags-y += $(call as-option, -Wa$(comma)-isa=foo,)
 
@@ -66,9 +69,11 @@ as-option = $(shell if $(CC) $(CFLAGS) $
 # as-instr
 # Usage: cflags-y += $(call as-instr, instr, option1, option2)
 
-as-instr = $(shell if echo -e "$(1)" | $(AS) >/dev/null 2>&1 -W -Z -o astest$$$$.out ; \
-		   then echo "$(2)"; else echo "$(3)"; fi; \
-	           rm -f astest$$$$.out)
+as-instr = $(shell if echo -e "$(1)" | \
+		      $(CC) $(AFLAGS) -c -xassembler - \
+			    -o $(TMPOUT)astest$$$$.out > /dev/null 2>&1; \
+		   then rm $(TMPOUT)astest$$$$.out; echo "$(2)"; \
+		   else echo "$(3)"; fi)
 
 # cc-option
 # Usage: cflags-y += $(call cc-option, -march=winchip-c6, -march=i586)
@@ -97,10 +102,10 @@ cc-ifversion = $(shell if [ $(call cc-ve
 
 # ld-option
 # Usage: ldflags += $(call ld-option, -Wl$(comma)--hash-style=both)
-ld-option = $(shell if $(CC) $(1) \
-			     -nostdlib -o ldtest$$$$.out -xc /dev/null \
-             > /dev/null 2>&1; then echo "$(1)"; else echo "$(2)"; fi; \
-	     rm -f ldtest$$$$.out)
+ld-option = $(shell if $(CC) $(1) -nostdlib -xc /dev/null \
+			     -o $(TMPOUT)ldtest$$$$.out > /dev/null 2>&1; \
+             then rm $(TMPOUT)ldtest$$$$.out; echo "$(1)"; \
+             else echo "$(2)"; fi)
 
 ###
 # Shorthand for $(Q)$(MAKE) -f scripts/Makefile.build obj=

--

[patch 13/50] ARM: Add sys_*at syscalls

[Chris Wright]

[-- Attachment #1: arm-add-sys_-at-syscalls.patch --]
[-- Type: text/plain, Size: 2033 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Russell King <rmk@arm.linux.org.uk>

Later glibc requires the *at syscalls.  Add them.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/arm/kernel/calls.S  |   13 +++++++++++++
 include/asm-arm/unistd.h |   13 +++++++++++++
 2 files changed, 26 insertions(+)

bca0b8e75f6b7cf52cf52c967286b72d84f9b37e
--- linux-2.6.19.1.orig/arch/arm/kernel/calls.S
+++ linux-2.6.19.1/arch/arm/kernel/calls.S
@@ -331,6 +331,19 @@
 		CALL(sys_mbind)
 /* 320 */	CALL(sys_get_mempolicy)
 		CALL(sys_set_mempolicy)
+		CALL(sys_openat)
+		CALL(sys_mkdirat)
+		CALL(sys_mknodat)
+/* 325 */	CALL(sys_fchownat)
+		CALL(sys_futimesat)
+		CALL(sys_fstatat64)
+		CALL(sys_unlinkat)
+		CALL(sys_renameat)
+/* 330 */	CALL(sys_linkat)
+		CALL(sys_symlinkat)
+		CALL(sys_readlinkat)
+		CALL(sys_fchmodat)
+		CALL(sys_faccessat)
 #ifndef syscalls_counted
 .equ syscalls_padding, ((NR_syscalls + 3) & ~3) - NR_syscalls
 #define syscalls_counted
--- linux-2.6.19.1.orig/include/asm-arm/unistd.h
+++ linux-2.6.19.1/include/asm-arm/unistd.h
@@ -347,6 +347,19 @@
 #define __NR_mbind			(__NR_SYSCALL_BASE+319)
 #define __NR_get_mempolicy		(__NR_SYSCALL_BASE+320)
 #define __NR_set_mempolicy		(__NR_SYSCALL_BASE+321)
+#define __NR_openat			(__NR_SYSCALL_BASE+322)
+#define __NR_mkdirat			(__NR_SYSCALL_BASE+323)
+#define __NR_mknodat			(__NR_SYSCALL_BASE+324)
+#define __NR_fchownat			(__NR_SYSCALL_BASE+325)
+#define __NR_futimesat			(__NR_SYSCALL_BASE+326)
+#define __NR_fstatat64			(__NR_SYSCALL_BASE+327)
+#define __NR_unlinkat			(__NR_SYSCALL_BASE+328)
+#define __NR_renameat			(__NR_SYSCALL_BASE+329)
+#define __NR_linkat			(__NR_SYSCALL_BASE+330)
+#define __NR_symlinkat			(__NR_SYSCALL_BASE+331)
+#define __NR_readlinkat			(__NR_SYSCALL_BASE+332)
+#define __NR_fchmodat			(__NR_SYSCALL_BASE+333)
+#define __NR_faccessat			(__NR_SYSCALL_BASE+334)
 
 /*
  * The following SWIs are ARM private.

--

[patch 14/50] sched: remove __cpuinitdata anotation to cpu_isolated_map

[Chris Wright]

[-- Attachment #1: sched-remove-__cpuinitdata-anotation-to-cpu_isolated_map.patch --]
[-- Type: text/plain, Size: 1081 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Tim Chen <tim.c.chen@linux.intel.com>

The structure cpu_isolated_map is used not only during initialization. 
Multi-core scheduler configuration changes and exclusive cpusets 
use this during run time.  During setting of sched_mc_power_savings
 policy, this structure is accessed to update sched_domains.

Signed-off-by: Tim Chen <tim.c.chen@intel.com>
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 kernel/sched.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/kernel/sched.c
+++ linux-2.6.19.1/kernel/sched.c
@@ -5493,7 +5493,7 @@ static void cpu_attach_domain(struct sch
 }
 
 /* cpus with isolated domains */
-static cpumask_t __cpuinitdata cpu_isolated_map = CPU_MASK_NONE;
+static cpumask_t cpu_isolated_map = CPU_MASK_NONE;
 
 /* Setup the mask of cpus configured for isolated domains */
 static int __init isolated_cpu_setup(char *str)

--

[patch 15/50] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G

[Chris Wright]

[-- Attachment #1: ib-srp-fix-fmr-mapping-for-32-bit-kernels-and-addresses-above-4g.patch --]
[-- Type: text/plain, Size: 1786 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Roland Dreier <rdreier@cisco.com>

struct srp_device.fmr_page_mask was unsigned long, which means that
the top part of addresses above 4G was being chopped off on 32-bit
architectures.  Of course nothing good happens when data from SRP
targets is DMAed to the wrong place.

Fix this by changing fmr_page_mask to u64, to match the addresses
actually used by IB devices.

Thanks to Brian Cain <Brian.Cain@ge.com> and David McMillen
<davem@systemfabricworks.com> for help diagnosing the bug and testing
the fix.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
I just asked Linus to pull this.  It fixes nasty corruption/crash
problems on 32-bit systems with > 4G of memory.

 drivers/infiniband/ulp/srp/ib_srp.c |    2 +-
 drivers/infiniband/ulp/srp/ib_srp.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.c
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1879,7 +1879,7 @@ static void srp_add_one(struct ib_device
 	 */
 	srp_dev->fmr_page_shift = max(9, ffs(dev_attr->page_size_cap) - 1);
 	srp_dev->fmr_page_size  = 1 << srp_dev->fmr_page_shift;
-	srp_dev->fmr_page_mask  = ~((unsigned long) srp_dev->fmr_page_size - 1);
+	srp_dev->fmr_page_mask  = ~((u64) srp_dev->fmr_page_size - 1);
 
 	INIT_LIST_HEAD(&srp_dev->dev_list);
 
--- linux-2.6.19.1.orig/drivers/infiniband/ulp/srp/ib_srp.h
+++ linux-2.6.19.1/drivers/infiniband/ulp/srp/ib_srp.h
@@ -87,7 +87,7 @@ struct srp_device {
 	struct ib_fmr_pool     *fmr_pool;
 	int			fmr_page_shift;
 	int			fmr_page_size;
-	unsigned long		fmr_page_mask;
+	u64			fmr_page_mask;
 };
 
 struct srp_host {

--

[patch 16/50] SCSI: add missing cdb clearing in scsi_execute()

[Chris Wright]

[-- Attachment #1: scsi-add-missing-cdb-clearing-in-scsi_execute.patch --]
[-- Type: text/plain, Size: 1047 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Tejun Heo <htejun@gmail.com>

Clear-garbage-after-CDB patch missed scsi_execute() and it causes some
ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan.  Note that
this patch is only for -stable.  There is another more reliable fix
for this problem proposed for devel tree.

http://thread.gmane.org/gmane.linux.ide/14605/focus=14605

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Douglas Gilbert <dougg@torque.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 drivers/scsi/scsi_lib.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.19.1.orig/drivers/scsi/scsi_lib.c
+++ linux-2.6.19.1/drivers/scsi/scsi_lib.c
@@ -191,6 +191,7 @@ int scsi_execute(struct scsi_device *sde
 		goto out;
 
 	req->cmd_len = COMMAND_SIZE(cmd[0]);
+	memset(req->cmd, 0, BLK_MAX_CDB); /* ATAPI hates garbage after CDB */
 	memcpy(req->cmd, cmd, req->cmd_len);
 	req->sense = sense;
 	req->sense_len = 0;

--

[patch 17/50] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

[Chris Wright]

[-- Attachment #1: bluetooth-add-packet-size-checks-for-capi-messages.patch --]
[-- Type: text/plain, Size: 3492 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Marcel Holtmann <marcel@holtmann.org>

With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 net/bluetooth/cmtp/capi.c |   39 +++++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

--- linux-2.6.19.1.orig/net/bluetooth/cmtp/capi.c
+++ linux-2.6.19.1/net/bluetooth/cmtp/capi.c
@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct 
 
 	switch (CAPIMSG_SUBCOMMAND(skb->data)) {
 	case CAPI_CONF:
+		if (skb->len < CAPI_MSG_BASELEN + 10)
+			break;
+
 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
 		info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
 
@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct 
 			break;
 
 		case CAPI_FUNCTION_GET_PROFILE:
+			if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile))
+				break;
+
 			controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11);
 			msgnum = CAPIMSG_MSGID(skb->data);
 
@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct 
 			break;
 
 		case CAPI_FUNCTION_GET_MANUFACTURER:
+			if (skb->len < CAPI_MSG_BASELEN + 15)
+				break;
+
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10);
 
 			if (!info && ctrl) {
+				int len = min_t(uint, CAPI_MANUFACTURER_LEN,
+						skb->data[CAPI_MSG_BASELEN + 14]);
+
+				memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
 				strncpy(ctrl->manu,
-					skb->data + CAPI_MSG_BASELEN + 15,
-					skb->data[CAPI_MSG_BASELEN + 14]);
+					skb->data + CAPI_MSG_BASELEN + 15, len);
 			}
 
 			break;
 
 		case CAPI_FUNCTION_GET_VERSION:
+			if (skb->len < CAPI_MSG_BASELEN + 32)
+				break;
+
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
 
 			if (!info && ctrl) {
@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct 
 			break;
 
 		case CAPI_FUNCTION_GET_SERIAL_NUMBER:
+			if (skb->len < CAPI_MSG_BASELEN + 17)
+				break;
+
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
 
 			if (!info && ctrl) {
+				int len = min_t(uint, CAPI_SERIAL_LEN,
+						skb->data[CAPI_MSG_BASELEN + 16]);
+
 				memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
 				strncpy(ctrl->serial,
-					skb->data + CAPI_MSG_BASELEN + 17,
-					skb->data[CAPI_MSG_BASELEN + 16]);
+					skb->data + CAPI_MSG_BASELEN + 17, len);
 			}
 
 			break;
@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct 
 		break;
 
 	case CAPI_IND:
+		if (skb->len < CAPI_MSG_BASELEN + 6)
+			break;
+
 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
 
 		if (func == CAPI_FUNCTION_LOOPBACK) {
+			int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
+						skb->data[CAPI_MSG_BASELEN + 5]);
 			appl = CAPIMSG_APPID(skb->data);
 			msgnum = CAPIMSG_MSGID(skb->data);
 			cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func,
-						skb->data + CAPI_MSG_BASELEN + 6,
-						skb->data[CAPI_MSG_BASELEN + 5]);
+						skb->data + CAPI_MSG_BASELEN + 6, len);
 		}
 
 		break;
@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_sessi
 
 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
 
+	if (skb->len < CAPI_MSG_BASELEN)
+		return;
+
 	if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) {
 		cmtp_recv_interopmsg(session, skb);
 		return;

--

[patch 18/50] i2c: fix broken ds1337 initialization

[Chris Wright]

[-- Attachment #1: i2c-fix-broken-ds1337-initialization.patch --]
[-- Type: text/plain, Size: 2136 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Dirk Eibach <eibach@gdsys.de>

On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to
2.6.18 broke RTC support.

The main problem are changes to ds1337_init_client().
When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7
in status register is set. This has to be reset by writing 0 to status
register. But since there are only 16 byte written to the chip and the
first byte is interpreted as an address, the status register (which is
the 16th) is never written.
The other problem is, that initializing all registers to zero is not
valid for day, date and month register. Funny enough this is checked by
ds1337_detect(), which depends on this values not being zero. So then
treated by ds1337_init_client() the ds1337 is not detected anymore,
whereas the failure bit in the status register is still set.

Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1,
2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit
763d9c046a2e511ec090a8986d3f85edf7448e7e).

Signed-off-by: Dirk Stieler <stieler@gdsys.de>
Signed-off-by: Dirk Eibach <eibach@gdsys.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/i2c/chips/ds1337.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/i2c/chips/ds1337.c
+++ linux-2.6.19.1/drivers/i2c/chips/ds1337.c
@@ -347,13 +347,19 @@ static void ds1337_init_client(struct i2
 
 	if ((status & 0x80) || (control & 0x80)) {
 		/* RTC not running */
-		u8 buf[16];
+		u8 buf[1+16];	/* First byte is interpreted as address */
 		struct i2c_msg msg[1];
 
 		dev_dbg(&client->dev, "%s: RTC not running!\n", __FUNCTION__);
 
 		/* Initialize all, including STATUS and CONTROL to zero */
 		memset(buf, 0, sizeof(buf));
+
+		/* Write valid values in the date/time registers */
+		buf[1+DS1337_REG_DAY] = 1;
+		buf[1+DS1337_REG_DATE] = 1;
+		buf[1+DS1337_REG_MONTH] = 1;
+
 		msg[0].addr = client->addr;
 		msg[0].flags = 0;
 		msg[0].len = sizeof(buf);

--

[patch 19/50] sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM idle code

[Chris Wright]

[-- Attachment #1: sched-fix-bad-missed-wakeups-in-the-i386-x86_64-ia64-acpi-and-apm-idle-code.patch --]
[-- Type: text/plain, Size: 8173 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ingo Molnar <mingo@elte.hu>

Fernando Lopez-Lezcano reported frequent scheduling latencies and audio 
xruns starting at the 2.6.18-rt kernel, and those problems persisted all 
until current -rt kernels. The latencies were serious and unjustified by 
system load, often in the milliseconds range.

After a patient and heroic multi-month effort of Fernando, where he 
tested dozens of kernels, tried various configs, boot options, 
test-patches of mine and provided latency traces of those incidents, the 
following 'smoking gun' trace was captured by him:

                 _------=> CPU#
                / _-----=> irqs-off
               | / _----=> need-resched
               || / _---=> hardirq/softirq
               ||| / _--=> preempt-depth
               |||| /
               |||||     delay
   cmd     pid ||||| time  |   caller
      \   /    |||||   \   |   /
  IRQ_19-1479  1D..1    0us : __trace_start_sched_wakeup (try_to_wake_up)
  IRQ_19-1479  1D..1    0us : __trace_start_sched_wakeup <<...>-5856> (37 0)
  IRQ_19-1479  1D..1    0us : __trace_start_sched_wakeup (c01262ba 0 0)
  IRQ_19-1479  1D..1    0us : resched_task (try_to_wake_up)
  IRQ_19-1479  1D..1    0us : __spin_unlock_irqrestore (try_to_wake_up)
  ...
  <idle>-0     1...1   11us!: default_idle (cpu_idle)
  ...
  <idle>-0     0Dn.1  602us : smp_apic_timer_interrupt (c0103baf 1 0)
  ...
   <...>-5856  0D..2  618us : __switch_to (__schedule)
   <...>-5856  0D..2  618us : __schedule <<idle>-0> (20 162)
   <...>-5856  0D..2  619us : __spin_unlock_irq (__schedule)
   <...>-5856  0...1  619us : trace_stop_sched_switched (__schedule)
   <...>-5856  0D..1  619us : trace_stop_sched_switched <<...>-5856> (37 0)

what is visible in this trace is that CPU#1 ran try_to_wake_up() for 
PID:5856, it placed PID:5856 on CPU#0's runqueue and ran resched_task() 
for CPU#0. But it decided to not send an IPI that no CPU - due to 
TS_POLLING. But CPU#0 never woke up after its NEED_RESCHED bit was set, 
and only rescheduled to PID:5856 upon the next lapic timer IRQ. The 
result was a 600+ usecs latency and a missed wakeup!

the bug turned out to be an idle-wakeup bug introduced into the mainline 
kernel this summer via an optimization in the x86_64 tree:

    commit 495ab9c045e1b0e5c82951b762257fe1c9d81564
    Author: Andi Kleen <ak@suse.de>
    Date:   Mon Jun 26 13:59:11 2006 +0200

    [PATCH] i386/x86-64/ia64: Move polling flag into thread_info_status

    During some profiling I noticed that default_idle causes a lot of
    memory traffic. I think that is caused by the atomic operations
    to clear/set the polling flag in thread_info. There is actually
    no reason to make this atomic - only the idle thread does it
    to itself, other CPUs only read it. So I moved it into ti->status.

the problem is this type of change:

        if (!hlt_counter && boot_cpu_data.hlt_works_ok) {
-               clear_thread_flag(TIF_POLLING_NRFLAG);
+               current_thread_info()->status &= ~TS_POLLING;
                smp_mb__after_clear_bit();
                while (!need_resched()) {
                        local_irq_disable();

this changes clear_thread_flag() to an explicit clearing of TS_POLLING. 
clear_thread_flag() is defined as:

        clear_bit(flag, &ti->flags);

and clear_bit() is a LOCK-ed atomic instruction on all x86 platforms:

  static inline void clear_bit(int nr, volatile unsigned long * addr)
  {
          __asm__ __volatile__( LOCK_PREFIX
                  "btrl %1,%0"

hence smp_mb__after_clear_bit() is defined as a simple compile barrier:

  #define smp_mb__after_clear_bit()       barrier()

but the explicit TS_POLLING clearing introduced by the patch:

+               current_thread_info()->status &= ~TS_POLLING;

is not an atomic op! So the clearing of the TS_POLLING bit is freely 
reorderable with the reading of the NEED_RESCHED bit - and both now 
reside in different memory addresses.

CPU idle wakeup very much depends on ordered memory ops, the clearing of 
the TS_POLLING flag must always be done before we test need_resched() 
and hit the idle instruction(s). [Symmetrically, the wakeup code needs 
to set NEED_RESCHED before it tests the TS_POLLING flag, so memory 
ordering is paramount.]

Fernando's dual-core Athlon64 system has a sufficiently advanced memory 
ordering model so that it triggered this scenario very often.

( And it also turned out that the reason why these latencies never
  triggered on my testsystems is that i routinely use idle=poll, which
  was the only idle variant not affected by this bug. )

The fix is to change the smp_mb__after_clear_bit() to an smp_mb(), to 
act as an absolute barrier between the TS_POLLING write and the 
NEED_RESCHED read. This affects almost all idling methods (default, 
ACPI, APM), on all 3 x86 architectures: i386, x86_64, ia64.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Fernando Lopez-Lezcano <nando@ccrma.Stanford.EDU>
[chrisw: backport to 2.6.19.1]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/i386/kernel/apm.c        |    6 +++++-
 arch/i386/kernel/process.c    |    7 ++++++-
 arch/ia64/kernel/process.c    |   10 ++++++++--
 arch/x86_64/kernel/process.c  |    6 +++++-
 drivers/acpi/processor_idle.c |   12 ++++++++++--
 5 files changed, 34 insertions(+), 7 deletions(-)

--- linux-2.6.19.1.orig/arch/i386/kernel/apm.c
+++ linux-2.6.19.1/arch/i386/kernel/apm.c
@@ -784,7 +784,11 @@ static int apm_do_idle(void)
 	polling = !!(current_thread_info()->status & TS_POLLING);
 	if (polling) {
 		current_thread_info()->status &= ~TS_POLLING;
-		smp_mb__after_clear_bit();
+		/*
+		 * TS_POLLING-cleared state must be visible before we
+		 * test NEED_RESCHED:
+		 */
+		smp_mb();
 	}
 	if (!need_resched()) {
 		idled = 1;
--- linux-2.6.19.1.orig/arch/i386/kernel/process.c
+++ linux-2.6.19.1/arch/i386/kernel/process.c
@@ -103,7 +103,12 @@ void default_idle(void)
 
 	if (!hlt_counter && boot_cpu_data.hlt_works_ok) {
 		current_thread_info()->status &= ~TS_POLLING;
-		smp_mb__after_clear_bit();
+		/*
+		 * TS_POLLING-cleared state must be visible before we
+		 * test NEED_RESCHED:
+		 */
+		smp_mb();
+
 		while (!need_resched()) {
 			local_irq_disable();
 			if (!need_resched())
--- linux-2.6.19.1.orig/arch/ia64/kernel/process.c
+++ linux-2.6.19.1/arch/ia64/kernel/process.c
@@ -268,10 +268,16 @@ cpu_idle (void)
 
 	/* endless idle loop with no priority at all */
 	while (1) {
-		if (can_do_pal_halt)
+		if (can_do_pal_halt) {
 			current_thread_info()->status &= ~TS_POLLING;
-		else
+			/*
+			 * TS_POLLING-cleared state must be visible before we
+			 * test NEED_RESCHED:
+			 */
+			smp_mb();
+		} else {
 			current_thread_info()->status |= TS_POLLING;
+		}
 
 		if (!need_resched()) {
 			void (*idle)(void);
--- linux-2.6.19.1.orig/arch/x86_64/kernel/process.c
+++ linux-2.6.19.1/arch/x86_64/kernel/process.c
@@ -111,7 +111,11 @@ static void default_idle(void)
 	local_irq_enable();
 
 	current_thread_info()->status &= ~TS_POLLING;
-	smp_mb__after_clear_bit();
+	/*
+	 * TS_POLLING-cleared state must be visible before we
+	 * test NEED_RESCHED:
+	 */
+	smp_mb();
 	while (!need_resched()) {
 		local_irq_disable();
 		if (!need_resched())
--- linux-2.6.19.1.orig/drivers/acpi/processor_idle.c
+++ linux-2.6.19.1/drivers/acpi/processor_idle.c
@@ -211,7 +211,11 @@ acpi_processor_power_activate(struct acp
 static void acpi_safe_halt(void)
 {
 	current_thread_info()->status &= ~TS_POLLING;
-	smp_mb__after_clear_bit();
+	/*
+	 * TS_POLLING-cleared state must be visible before we
+	 * test NEED_RESCHED:
+	 */
+	smp_mb();
 	if (!need_resched())
 		safe_halt();
 	current_thread_info()->status |= TS_POLLING;
@@ -345,7 +349,11 @@ static void acpi_processor_idle(void)
 	 */
 	if (cx->type == ACPI_STATE_C2 || cx->type == ACPI_STATE_C3) {
 		current_thread_info()->status &= ~TS_POLLING;
-		smp_mb__after_clear_bit();
+		/*
+		 * TS_POLLING-cleared state must be visible before we
+		 * test NEED_RESCHED:
+		 */
+		smp_mb();
 		if (need_resched()) {
 			current_thread_info()->status |= TS_POLLING;
 			local_irq_enable();

--

[patch 20/50] Fix for shmem_truncate_range() BUG_ON()

[Chris Wright]

[-- Attachment #1: fix-for-shmem_truncate_range-bug_on.patch --]
[-- Type: text/plain, Size: 1146 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Badari Pulavarty <pbadari@us.ibm.com>

Ran into BUG() while doing madvise(REMOVE) testing.  If we are punching a
hole into shared memory segment using madvise(REMOVE) and the entire hole
is below the indirect blocks, we hit following assert.

	        BUG_ON(limit <= SHMEM_NR_DIRECT);

Signed-off-by: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 mm/shmem.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- linux-2.6.19.1.orig/mm/shmem.c
+++ linux-2.6.19.1/mm/shmem.c
@@ -515,7 +515,12 @@ static void shmem_truncate_range(struct 
 			size = SHMEM_NR_DIRECT;
 		nr_swaps_freed = shmem_free_swp(ptr+idx, ptr+size);
 	}
-	if (!topdir)
+
+	/*
+	 * If there are no indirect blocks or we are punching a hole
+	 * below indirect blocks, nothing to be done.
+	 */
+	if (!topdir || (punch_hole && (limit <= SHMEM_NR_DIRECT)))
 		goto done2;
 
 	BUG_ON(limit <= SHMEM_NR_DIRECT);

--

[patch 21/50] smc911x: fix netpoll compilation faliure

[Chris Wright]

[-- Attachment #1: smc911x-fix-netpoll-compilation-faliure.patch --]
[-- Type: text/plain, Size: 855 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Vitaly Wool <vitalywool@gmail.com>

Fix the compilation failure for smc911x.c when NET_POLL_CONTROLLER is set.

Signed-off-by: Vitaly Wool <vitalywool@gmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/smc911x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/net/smc911x.c
+++ linux-2.6.19.1/drivers/net/smc911x.c
@@ -1331,7 +1331,7 @@ smc911x_rx_dma_irq(int dma, void *data)
 static void smc911x_poll_controller(struct net_device *dev)
 {
 	disable_irq(dev->irq);
-	smc911x_interrupt(dev->irq, dev, NULL);
+	smc911x_interrupt(dev->irq, dev);
 	enable_irq(dev->irq);
 }
 #endif

--

[patch 22/50] fix aoe without scatter-gather [Bug 7662]

[Chris Wright]

[-- Attachment #1: fix-aoe-without-scatter-gather.patch --]
[-- Type: text/plain, Size: 2597 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ed L Cashin <ecashin@coraid.com>

Fix a bug that only appears when AoE goes over a network card that does not
support scatter-gather.  The headers in the linear part of the skb appeared
to be larger than they really were, resulting in data that was offset by 24
bytes.

This patch eliminates the offset data on cards that don't support
scatter-gather or have had scatter-gather turned off.  There remains an
unrelated issue that I'll address in a separate email.

Fixes bugzilla #7662

Signed-off-by: "Ed L. Cashin" <ecashin@coraid.com>
Cc: <stable@kernel.org>
Cc: Greg KH <greg@kroah.com>
Cc: <boddingt@optusnet.com.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/block/aoe/aoecmd.c |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- linux-2.6.19.1.orig/drivers/block/aoe/aoecmd.c
+++ linux-2.6.19.1/drivers/block/aoe/aoecmd.c
@@ -30,8 +30,6 @@ new_skb(ulong len)
 		skb->nh.raw = skb->mac.raw = skb->data;
 		skb->protocol = __constant_htons(ETH_P_AOE);
 		skb->priority = 0;
-		skb_put(skb, len);
-		memset(skb->head, 0, len);
 		skb->next = skb->prev = NULL;
 
 		/* tell the network layer not to perform IP checksums
@@ -122,8 +120,8 @@ aoecmd_ata_rw(struct aoedev *d, struct f
 	skb = f->skb;
 	h = (struct aoe_hdr *) skb->mac.raw;
 	ah = (struct aoe_atahdr *) (h+1);
-	skb->len = sizeof *h + sizeof *ah;
-	memset(h, 0, ETH_ZLEN);
+	skb_put(skb, sizeof *h + sizeof *ah);
+	memset(h, 0, skb->len);
 	f->tag = aoehdr_atainit(d, h);
 	f->waited = 0;
 	f->buf = buf;
@@ -149,7 +147,6 @@ aoecmd_ata_rw(struct aoedev *d, struct f
 		skb->len += bcnt;
 		skb->data_len = bcnt;
 	} else {
-		skb->len = ETH_ZLEN;
 		writebit = 0;
 	}
 
@@ -206,6 +203,7 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigne
 			printk(KERN_INFO "aoe: skb alloc failure\n");
 			continue;
 		}
+		skb_put(skb, sizeof *h + sizeof *ch);
 		skb->dev = ifp;
 		if (sl_tail == NULL)
 			sl_tail = skb;
@@ -243,6 +241,7 @@ freeframe(struct aoedev *d)
 			continue;
 		if (atomic_read(&skb_shinfo(f->skb)->dataref) == 1) {
 			skb_shinfo(f->skb)->nr_frags = f->skb->data_len = 0;
+			skb_trim(f->skb, 0);
 			return f;
 		}
 		n++;
@@ -698,8 +697,8 @@ aoecmd_ata_id(struct aoedev *d)
 	skb = f->skb;
 	h = (struct aoe_hdr *) skb->mac.raw;
 	ah = (struct aoe_atahdr *) (h+1);
-	skb->len = ETH_ZLEN;
-	memset(h, 0, ETH_ZLEN);
+	skb_put(skb, sizeof *h + sizeof *ah);
+	memset(h, 0, skb->len);
 	f->tag = aoehdr_atainit(d, h);
 	f->waited = 0;
 

--

[patch 23/50] UDP: Fix reversed logic in udp_get_port()

[Chris Wright]

[-- Attachment #1: fix-reversed-logic-in-udp_get_port.patch --]
[-- Type: text/plain, Size: 1452 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Miller <davem@davemloft.net>

When this code was converted to use sk_for_each() the
logic for the "best hash chain length" code was reversed,
breaking everything.

The original code was of the form:

			size = 0;
			do {
				if (++size >= best_size_so_far)
					goto next;
			} while ((sk = sk->next) != NULL);
			best_size_so_far = size;
			best = result;
		next:;

and this got converted into:

			sk_for_each(sk2, node, head)
				if (++size < best_size_so_far) {
					best_size_so_far = size;
					best = result;
				}

Which does something very very different from the original.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/udp.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- linux-2.6.19.1.orig/net/ipv4/udp.c
+++ linux-2.6.19.1/net/ipv4/udp.c
@@ -167,11 +167,14 @@ int udp_get_port(struct sock *sk, unsign
 				goto gotit;
 			}
 			size = 0;
-			sk_for_each(sk2, node, head)
-				if (++size < best_size_so_far) {
-					best_size_so_far = size;
-					best = result;
-				}
+			sk_for_each(sk2, node, head) {
+				if (++size >= best_size_so_far)
+					goto next;
+			}
+			best_size_so_far = size;
+			best = result;
+		next:
+			;
 		}
 		result = best;
 		for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {

--

[patch 24/50] cciss: fix XFER_READ/XFER_WRITE in do_cciss_request

[Chris Wright]

[-- Attachment #1: cciss-fix-xfer_read-xfer_write-in-do_cciss_request.patch --]
[-- Type: text/plain, Size: 1308 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Mike Miller <mike.miller@hp.com>

This patch fixes a stupid bug. Sometime during the 2tb enhancement I ended up
replacing the macros XFER_READ and XFER_WRITE with h->cciss_read and
h->cciss_write respectively. It seemed to work somehow at least on x86_64 and
ia64. I don't know how. But people started complaining about command timeouts
on older controllers like the 64xx series and only on ia32. This resolves the
issue reproduced in our lab. Please consider this for inclusion. 

Signed-off-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/block/cciss.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/block/cciss.c
+++ linux-2.6.19.1/drivers/block/cciss.c
@@ -2530,7 +2530,7 @@ static void do_cciss_request(request_que
 	c->Request.Type.Type = TYPE_CMD;	// It is a command.
 	c->Request.Type.Attribute = ATTR_SIMPLE;
 	c->Request.Type.Direction =
-	    (rq_data_dir(creq) == READ) ? h->cciss_read : h->cciss_write;
+	    (rq_data_dir(creq) == READ) ? XFER_READ : XFER_WRITE;
 	c->Request.Timeout = 0;	// Don't time out
 	c->Request.CDB[0] =
 	    (rq_data_dir(creq) == READ) ? h->cciss_read : h->cciss_write;

--

[patch 25/50] [stable] [stable patch] i386: CPU hotplug broken with 2GB VMSPLIT

[Chris Wright]

[-- Attachment #1: i386-cpu-hotplug-broken-with-2gb-vmsplit.patch --]
[-- Type: text/plain, Size: 807 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Shaohua Li <shaohua.li@intel.com>

In VMSPLIT mode, kernel PGD might have more entries than user space

Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/i386/kernel/smpboot.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/arch/i386/kernel/smpboot.c
+++ linux-2.6.19.1/arch/i386/kernel/smpboot.c
@@ -1095,7 +1095,7 @@ static int __cpuinit __smp_prepare_cpu(i
 
 	/* init low mem mapping */
 	clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
-			KERNEL_PGD_PTRS);
+			min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
 	flush_tlb_all();
 	schedule_work(&task);
 	wait_for_completion(&done);

--

[patch 26/50] ramfs breaks without CONFIG_BLOCK

[Chris Wright]

[-- Attachment #1: ramfs-breaks-without-config_block.patch --]
[-- Type: text/plain, Size: 1714 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Dimitri Gorokhovik <dimitri.gorokhovik@free.fr>

ramfs doesn't provide the .set_dirty_page a_op, and when the BLOCK layer is
not configured in, 'set_page_dirty' makes a call via a NULL pointer.

Signed-off-by: Dimitri Gorokhovik <dimitri.gorokhovik@free.fr>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 fs/ramfs/file-mmu.c   |    4 +++-
 fs/ramfs/file-nommu.c |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/fs/ramfs/file-mmu.c
+++ linux-2.6.19.1/fs/ramfs/file-mmu.c
@@ -25,11 +25,13 @@
  */
 
 #include <linux/fs.h>
+#include <linux/mm.h>
 
 const struct address_space_operations ramfs_aops = {
 	.readpage	= simple_readpage,
 	.prepare_write	= simple_prepare_write,
-	.commit_write	= simple_commit_write
+	.commit_write	= simple_commit_write,
+	.set_page_dirty = __set_page_dirty_nobuffers,
 };
 
 const struct file_operations ramfs_file_operations = {
--- linux-2.6.19.1.orig/fs/ramfs/file-nommu.c
+++ linux-2.6.19.1/fs/ramfs/file-nommu.c
@@ -11,6 +11,7 @@
 
 #include <linux/module.h>
 #include <linux/fs.h>
+#include <linux/mm.h>
 #include <linux/pagemap.h>
 #include <linux/highmem.h>
 #include <linux/init.h>
@@ -30,7 +31,8 @@ static int ramfs_nommu_setattr(struct de
 const struct address_space_operations ramfs_aops = {
 	.readpage		= simple_readpage,
 	.prepare_write		= simple_prepare_write,
-	.commit_write		= simple_commit_write
+	.commit_write		= simple_commit_write,
+	.set_page_dirty = __set_page_dirty_nobuffers,
 };
 
 const struct file_operations ramfs_file_operations = {

--

[patch 27/50] Buglet in vmscan.c

[Chris Wright]

[-- Attachment #1: buglet-in-vmscan.c.patch --]
[-- Type: text/plain, Size: 843 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Shantanu Goel <sgoel01@yahoo.com>

Fix a rather obvious buglet.  Noticed while instrumenting the VM using
/proc/vmstat.

Cc: Christoph Lameter <clameter@engr.sgi.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 mm/vmscan.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/mm/vmscan.c
+++ linux-2.6.19.1/mm/vmscan.c
@@ -691,7 +691,7 @@ static unsigned long shrink_inactive_lis
 			__count_vm_events(KSWAPD_STEAL, nr_freed);
 		} else
 			__count_zone_vm_events(PGSCAN_DIRECT, zone, nr_scan);
-		__count_vm_events(PGACTIVATE, nr_freed);
+		__count_zone_vm_events(PGSTEAL, zone, nr_freed);
 
 		if (nr_taken == 0)
 			goto done;

--

[patch 28/50] softmac: Fixed handling of deassociation from AP

[Chris Wright]

[-- Attachment #1: softmac-fixed-handling-of-deassociation-from-ap.patch --]
[-- Type: text/plain, Size: 2753 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ulrich Kunitz <kune@deine-taler.de>

In 2.6.19 a deauthentication from the AP doesn't start a
reassociation by the softmac code. It appears that
mac->associnfo.associating must be set and the
ieee80211softmac_assoc_work function must be scheduled. This patch
fixes that.

Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Date: Sun, 3 Dec 2006 15:32:00 +0000 (+0100)
Subject: [patch 28/50] [PATCH] softmac: Fixed handling of deassociation from AP
X-Git-Tag: v2.6.20-rc1
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2b50c24554d31c2db2f93b1151b5991e62f96594

 net/ieee80211/softmac/ieee80211softmac_assoc.c |   14 ++++++++++++--
 net/ieee80211/softmac/ieee80211softmac_auth.c  |    2 ++
 net/ieee80211/softmac/ieee80211softmac_priv.h  |    2 ++
 3 files changed, 16 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_assoc.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_assoc.c
@@ -427,6 +427,17 @@ ieee80211softmac_handle_assoc_response(s
 	return 0;
 }
 
+void
+ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac)
+{
+	unsigned long flags;
+
+	spin_lock_irqsave(&mac->lock, flags);
+	mac->associnfo.associating = 1;
+	schedule_work(&mac->associnfo.work);
+	spin_unlock_irqrestore(&mac->lock, flags);
+}
+
 int
 ieee80211softmac_handle_disassoc(struct net_device * dev,
 				 struct ieee80211_disassoc *disassoc)
@@ -445,8 +456,7 @@ ieee80211softmac_handle_disassoc(struct 
 	dprintk(KERN_INFO PFX "got disassoc frame\n");
 	ieee80211softmac_disassoc(mac);
 
-	/* try to reassociate */
-	schedule_work(&mac->associnfo.work);
+	ieee80211softmac_try_reassoc(mac);
 
 	return 0;
 }
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_auth.c
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_auth.c
@@ -328,6 +328,8 @@ ieee80211softmac_deauth_from_net(struct 
 	/* can't transmit data right now... */
 	netif_carrier_off(mac->dev);
 	spin_unlock_irqrestore(&mac->lock, flags);
+
+	ieee80211softmac_try_reassoc(mac);
 }
 
 /* 
--- linux-2.6.19.1.orig/net/ieee80211/softmac/ieee80211softmac_priv.h
+++ linux-2.6.19.1/net/ieee80211/softmac/ieee80211softmac_priv.h
@@ -238,4 +238,6 @@ void ieee80211softmac_call_events_locked
 int ieee80211softmac_notify_internal(struct ieee80211softmac_device *mac,
 	int event, void *event_context, notify_function_ptr fun, void *context, gfp_t gfp_mask);
 
+void ieee80211softmac_try_reassoc(struct ieee80211softmac_device *mac);
+
 #endif /* IEEE80211SOFTMAC_PRIV_H_ */

--

[patch 29/50] zd1211rw: Call ieee80211_rx in tasklet

[Chris Wright]

[-- Attachment #1: zd1211rw-call-ieee80211_rx-in-tasklet.patch --]
[-- Type: text/plain, Size: 6786 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ulrich Kunitz <kune@deine-taler.de>

[PATCH] zd1211rw: Call ieee80211_rx in tasklet

The driver called ieee80211_rx in hardware interrupt context.  This has
been against the intention of the ieee80211_rx function.  It caused a bug
in the crypto routines used by WPA.  This patch calls ieee80211_rx in a
tasklet.

Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Date: Sun, 10 Dec 2006 19:13:12 +0000 (-0800)
Subject: [patch 29/50] [PATCH] zd1211rw: Call ieee80211_rx in tasklet
X-Git-Tag: v2.6.20-rc2
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4d1feabcbf41f875447a392015acd0796f57baf6

 drivers/net/wireless/zd1211rw/zd_mac.c |   91 ++++++++++++++++++++++++---------
 drivers/net/wireless/zd1211rw/zd_mac.h |    6 +-
 drivers/net/wireless/zd1211rw/zd_usb.c |    4 -
 3 files changed, 75 insertions(+), 26 deletions(-)

--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.c
@@ -37,6 +37,8 @@ static void housekeeping_init(struct zd_
 static void housekeeping_enable(struct zd_mac *mac);
 static void housekeeping_disable(struct zd_mac *mac);
 
+static void do_rx(unsigned long mac_ptr);
+
 int zd_mac_init(struct zd_mac *mac,
 	        struct net_device *netdev,
 	        struct usb_interface *intf)
@@ -47,6 +49,10 @@ int zd_mac_init(struct zd_mac *mac,
 	spin_lock_init(&mac->lock);
 	mac->netdev = netdev;
 
+	skb_queue_head_init(&mac->rx_queue);
+	tasklet_init(&mac->rx_tasklet, do_rx, (unsigned long)mac);
+	tasklet_disable(&mac->rx_tasklet);
+
 	ieee_init(ieee);
 	softmac_init(ieee80211_priv(netdev));
 	zd_chip_init(&mac->chip, netdev, intf);
@@ -132,6 +138,8 @@ out:
 
 void zd_mac_clear(struct zd_mac *mac)
 {
+	skb_queue_purge(&mac->rx_queue);
+	tasklet_kill(&mac->rx_tasklet);
 	zd_chip_clear(&mac->chip);
 	ZD_ASSERT(!spin_is_locked(&mac->lock));
 	ZD_MEMCLEAR(mac, sizeof(struct zd_mac));
@@ -160,6 +168,8 @@ int zd_mac_open(struct net_device *netde
 	struct zd_chip *chip = &mac->chip;
 	int r;
 
+	tasklet_enable(&mac->rx_tasklet);
+
 	r = zd_chip_enable_int(chip);
 	if (r < 0)
 		goto out;
@@ -210,6 +220,8 @@ int zd_mac_stop(struct net_device *netde
 	 */
 
 	zd_chip_disable_rx(chip);
+	skb_queue_purge(&mac->rx_queue);
+	tasklet_disable(&mac->rx_tasklet);
 	housekeeping_disable(mac);
 	ieee80211softmac_stop(netdev);
 
@@ -873,45 +885,78 @@ static int fill_rx_stats(struct ieee8021
 	return 0;
 }
 
-int zd_mac_rx(struct zd_mac *mac, const u8 *buffer, unsigned int length)
+static void zd_mac_rx(struct zd_mac *mac, struct sk_buff *skb)
 {
 	int r;
 	struct ieee80211_device *ieee = zd_mac_to_ieee80211(mac);
 	struct ieee80211_rx_stats stats;
 	const struct rx_status *status;
-	struct sk_buff *skb;
 
-	if (length < ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
-	             IEEE80211_FCS_LEN + sizeof(struct rx_status))
-		return -EINVAL;
+	if (skb->len < ZD_PLCP_HEADER_SIZE + IEEE80211_1ADDR_LEN +
+	               IEEE80211_FCS_LEN + sizeof(struct rx_status))
+	{
+		dev_dbg_f(zd_mac_dev(mac), "Packet with length %u to small.\n",
+			 skb->len);
+		goto free_skb;
+	}
 
-	r = fill_rx_stats(&stats, &status, mac, buffer, length);
-	if (r)
-		return r;
+	r = fill_rx_stats(&stats, &status, mac, skb->data, skb->len);
+	if (r) {
+		/* Only packets with rx errors are included here. */
+		goto free_skb;
+	}
 
-	length -= ZD_PLCP_HEADER_SIZE+IEEE80211_FCS_LEN+
-		  sizeof(struct rx_status);
-	buffer += ZD_PLCP_HEADER_SIZE;
+	__skb_pull(skb, ZD_PLCP_HEADER_SIZE);
+	__skb_trim(skb, skb->len -
+		        (IEEE80211_FCS_LEN + sizeof(struct rx_status)));
 
-	update_qual_rssi(mac, buffer, length, stats.signal, stats.rssi);
+	update_qual_rssi(mac, skb->data, skb->len, stats.signal,
+		         status->signal_strength);
 
-	r = filter_rx(ieee, buffer, length, &stats);
-	if (r <= 0)
-		return r;
 
-	skb = dev_alloc_skb(sizeof(struct zd_rt_hdr) + length);
-	if (!skb)
-		return -ENOMEM;
+	r = filter_rx(ieee, skb->data, skb->len, &stats);
+	if (r <= 0) {
+		if (r < 0)
+			dev_dbg_f(zd_mac_dev(mac), "Error in packet.\n");
+		goto free_skb;
+	}
+
 	if (ieee->iw_mode == IW_MODE_MONITOR)
-		fill_rt_header(skb_put(skb, sizeof(struct zd_rt_hdr)), mac,
+		fill_rt_header(skb_push(skb, sizeof(struct zd_rt_hdr)), mac,
 			       &stats, status);
-	memcpy(skb_put(skb, length), buffer, length);
 
 	r = ieee80211_rx(ieee, skb, &stats);
-	if (!r) {
-		ZD_ASSERT(in_irq());
-		dev_kfree_skb_irq(skb);
+	if (r)
+		return;
+
+free_skb:
+	/* We are always in a soft irq. */
+	dev_kfree_skb(skb);
+}
+
+static void do_rx(unsigned long mac_ptr)
+{
+	struct zd_mac *mac = (struct zd_mac *)mac_ptr;
+	struct sk_buff *skb;
+
+	while ((skb = skb_dequeue(&mac->rx_queue)) != NULL)
+		zd_mac_rx(mac, skb);
+}
+
+int zd_mac_rx_irq(struct zd_mac *mac, const u8 *buffer, unsigned int length)
+{
+	struct sk_buff *skb;
+
+	skb = dev_alloc_skb(sizeof(struct zd_rt_hdr) + length);
+	if (!skb) {
+		dev_warn(zd_mac_dev(mac), "Could not allocate skb.\n");
+		return -ENOMEM;
 	}
+	skb_reserve(skb, sizeof(struct zd_rt_hdr));
+	memcpy(__skb_put(skb, length), buffer, length);
+	skb_queue_tail(&mac->rx_queue, skb);
+	tasklet_schedule(&mac->rx_tasklet);
+
 	return 0;
 }
 
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_mac.h
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_mac.h
@@ -133,6 +133,10 @@ struct zd_mac {
 	/* Unlocked reading possible */
 	struct iw_statistics iw_stats;
 	struct housekeeping housekeeping;
+
+	struct tasklet_struct rx_tasklet;
+	struct sk_buff_head rx_queue;
+
 	unsigned int stats_count;
 	u8 qual_buffer[ZD_MAC_STATS_BUFFER_SIZE];
 	u8 rssi_buffer[ZD_MAC_STATS_BUFFER_SIZE];
@@ -174,7 +178,7 @@ int zd_mac_open(struct net_device *netde
 int zd_mac_stop(struct net_device *netdev);
 int zd_mac_set_mac_address(struct net_device *dev, void *p);
 
-int zd_mac_rx(struct zd_mac *mac, const u8 *buffer, unsigned int length);
+int zd_mac_rx_irq(struct zd_mac *mac, const u8 *buffer, unsigned int length);
 
 int zd_mac_set_regdomain(struct zd_mac *zd_mac, u8 regdomain);
 u8 zd_mac_get_regdomain(struct zd_mac *zd_mac);
--- linux-2.6.19.1.orig/drivers/net/wireless/zd1211rw/zd_usb.c
+++ linux-2.6.19.1/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -599,13 +599,13 @@ static void handle_rx_packet(struct zd_u
 			n = l+k;
 			if (n > length)
 				return;
-			zd_mac_rx(mac, buffer+l, k);
+			zd_mac_rx_irq(mac, buffer+l, k);
 			if (i >= 2)
 				return;
 			l = (n+3) & ~3;
 		}
 	} else {
-		zd_mac_rx(mac, buffer, length);
+		zd_mac_rx_irq(mac, buffer, length);
 	}
 }
 

--

[patch 30/50] handle ext3 directory corruption better (CVE-2006-6053)

[Chris Wright]

[-- Attachment #1: handle-ext3-directory-corruption-better.patch --]
[-- Type: text/plain, Size: 3458 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Eric Sandeen <sandeen@redhat.com>

I've been using Steve Grubb's purely evil "fsfuzzer" tool, at
http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz

Basically it makes a filesystem, splats some random bits over it, then
tries to mount it and do some simple filesystem actions.

At best, the filesystem catches the corruption gracefully.  At worst,
things spin out of control.

As you might guess, we found a couple places in ext3 where things spin out
of control :)

First, we had a corrupted directory that was never checked for
consistency...  it was corrupt, and pointed to another bad "entry" of
length 0.  The for() loop looped forever, since the length of
ext3_next_entry(de) was 0, and we kept looking at the same pointer over and
over and over and over...  I modeled this check and subsequent action on
what is done for other directory types in ext3_readdir...

(adding this check adds some computational expense; I am testing a followup
patch to reduce the number of times we check and re-check these directory
entries, in all cases.  Thanks for the idea, Andreas).

Next we had a root directory inode which had a corrupted size, claimed to
be > 200M on a 4M filesystem.  There was only really 1 block in the
directory, but because the size was so large, readdir kept coming back for
more, spewing thousands of printk's along the way.

Per Andreas' suggestion, if we're in this read error condition and we're
trying to read an offset which is greater than i_blocks worth of bytes,
stop trying, and break out of the loop.

With these two changes fsfuzz test survives quite well on ext3.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Date: Thu, 7 Dec 2006 04:36:26 +0000 (-0800)
Subject: [patch 30/50] [PATCH] handle ext3 directory corruption better
X-Git-Tag: v2.6.20-rc1
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=40b851348fe9bf49c26025b34261d25142269b60

 fs/ext3/dir.c   |    3 +++
 fs/ext3/namei.c |    9 +++++++++
 2 files changed, 12 insertions(+)

--- linux-2.6.19.1.orig/fs/ext3/dir.c
+++ linux-2.6.19.1/fs/ext3/dir.c
@@ -154,6 +154,9 @@ static int ext3_readdir(struct file * fi
 			ext3_error (sb, "ext3_readdir",
 				"directory #%lu contains a hole at offset %lu",
 				inode->i_ino, (unsigned long)filp->f_pos);
+			/* corrupt size?  Maybe no more blocks to read */
+			if (filp->f_pos > inode->i_blocks << 9)
+				break;
 			filp->f_pos += sb->s_blocksize - offset;
 			continue;
 		}
--- linux-2.6.19.1.orig/fs/ext3/namei.c
+++ linux-2.6.19.1/fs/ext3/namei.c
@@ -552,6 +552,15 @@ static int htree_dirblock_to_tree(struct
 					   dir->i_sb->s_blocksize -
 					   EXT3_DIR_REC_LEN(0));
 	for (; de < top; de = ext3_next_entry(de)) {
+		if (!ext3_check_dir_entry("htree_dirblock_to_tree", dir, de, bh,
+					(block<<EXT3_BLOCK_SIZE_BITS(dir->i_sb))
+						+((char *)de - bh->b_data))) {
+			/* On error, skip the f_pos to the next block. */
+			dir_file->f_pos = (dir_file->f_pos |
+					(dir->i_sb->s_blocksize - 1)) + 1;
+			brelse (bh);
+			return count;
+		}
 		ext3fs_dirhash(de->name, de->name_len, hinfo);
 		if ((hinfo->hash < start_hash) ||
 		    ((hinfo->hash == start_hash) &&

--

[patch 31/50] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

[Chris Wright]

[-- Attachment #1: corrupted-cramfs-filesystems-cause-kernel-oops.patch --]
[-- Type: text/plain, Size: 1905 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Phillip Lougher <phillip@lougher.org.uk>

Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data.  Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.

Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800)
Subject: [patch 31/50] [PATCH] corrupted cramfs filesystems cause kernel oops
X-Git-Tag: v2.6.20-rc1
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bb0269160df2a60764013994d0bc5165406cf4a

 fs/cramfs/inode.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.19.1.orig/fs/cramfs/inode.c
+++ linux-2.6.19.1/fs/cramfs/inode.c
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
 		pgdata = kmap(page);
 		if (compr_len == 0)
 			; /* hole */
+		else if (compr_len > (PAGE_CACHE_SIZE << 1))
+			printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
 		else {
 			mutex_lock(&read_mutex);
 			bytes_filled = cramfs_uncompress_block(pgdata,

--

[patch 32/50] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)

[Chris Wright]

[-- Attachment #1: ext2-skip-pages-past-number-of-blocks-in-ext2_find_entry.patch --]
[-- Type: text/plain, Size: 1430 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Eric Sandeen <sandeen@redhat.com>

This one was pointed out on the MOKB site:
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html

If a directory's i_size is corrupted, ext2_find_entry() will keep processing
pages until the i_size is reached, even if there are no more blocks associated
with the directory inode.  This patch puts in some minimal sanity-checking
so that we don't keep checking pages (and issuing errors) if we know there
can be no more data to read, based on the block count of the directory inode.

This is somewhat similar in approach to the ext3 patch I sent earlier this
year.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Not upstream yet

 fs/ext2/dir.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- linux-2.6.19.1.orig/fs/ext2/dir.c
+++ linux-2.6.19.1/fs/ext2/dir.c
@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entr
 		}
 		if (++n >= npages)
 			n = 0;
+		/* next page is past the blocks we've got */
+		if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) {
+			ext2_error(dir->i_sb, __FUNCTION__,
+				"dir %lu size %lld exceeds block count %llu",
+				dir->i_ino, dir->i_size,
+				(unsigned long long)dir->i_blocks);
+				goto out;
+		}
 	} while (n != start);
 out:
 	return NULL;

--

[patch 33/50] PKTGEN: Fix module load/unload races.

[Chris Wright]

[-- Attachment #1: pktgen-fix-module-load-unload-races.patch --]
[-- Type: text/plain, Size: 2280 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Robert Olsson <Robert.Olsson@data.slu.se>

---
 net/core/pktgen.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/net/core/pktgen.c
+++ linux-2.6.19.1/net/core/pktgen.c
@@ -147,6 +147,7 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/wait.h>
+#include <linux/completion.h>
 #include <linux/etherdevice.h>
 #include <net/checksum.h>
 #include <net/ipv6.h>
@@ -206,6 +207,11 @@ static struct proc_dir_entry *pg_proc_di
 #define VLAN_TAG_SIZE(x) ((x)->vlan_id == 0xffff ? 0 : 4)
 #define SVLAN_TAG_SIZE(x) ((x)->svlan_id == 0xffff ? 0 : 4)
 
+struct pktgen_thread_info {
+       struct pktgen_thread *t;
+       struct completion *c;
+};
+
 struct flow_state {
 	__u32 cur_daddr;
 	int count;
@@ -3264,10 +3270,11 @@ out:;
  * Main loop of the thread goes here
  */
 
-static void pktgen_thread_worker(struct pktgen_thread *t)
+static void pktgen_thread_worker(struct pktgen_thread_info *info)
 {
 	DEFINE_WAIT(wait);
 	struct pktgen_dev *pkt_dev = NULL;
+	struct pktgen_thread *t = info->t;
 	int cpu = t->cpu;
 	sigset_t tmpsig;
 	u32 max_before_softirq;
@@ -3307,6 +3314,8 @@ static void pktgen_thread_worker(struct 
 	__set_current_state(TASK_INTERRUPTIBLE);
 	mb();
 
+        complete(info->c);
+
 	while (1) {
 
 		__set_current_state(TASK_RUNNING);
@@ -3518,6 +3527,8 @@ static struct pktgen_thread *__init pktg
 static int __init pktgen_create_thread(const char *name, int cpu)
 {
 	int err;
+	struct pktgen_thread_info info;
+        struct completion started;
 	struct pktgen_thread *t = NULL;
 	struct proc_dir_entry *pe;
 
@@ -3558,7 +3569,11 @@ static int __init pktgen_create_thread(c
 
 	t->removed = 0;
 
-	err = kernel_thread((void *)pktgen_thread_worker, (void *)t,
+	init_completion(&started);
+        info.t = t;
+        info.c = &started;
+
+	err = kernel_thread((void *)pktgen_thread_worker, (void *)&info,
 			  CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
 	if (err < 0) {
 		printk("pktgen: kernel_thread() failed for cpu %d\n", t->cpu);
@@ -3568,6 +3583,7 @@ static int __init pktgen_create_thread(c
 		return err;
 	}
 
+	wait_for_completion(&started);
 	return 0;
 }
 

--

[patch 34/50] SPARC64: Fix "mem=xxx" handling.

[Chris Wright]

[-- Attachment #1: sparc64-fix-mem-xxx-handling.patch --]
[-- Type: text/plain, Size: 5009 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Miller <davem@davemloft.net>

We were not being careful enough.  When we trim the physical
memory areas, we have to make sure we don't remove the kernel
image or initial ramdisk image ranges.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 arch/sparc64/mm/init.c |  147 +++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 124 insertions(+), 23 deletions(-)

--- linux-2.6.19.1.orig/arch/sparc64/mm/init.c
+++ linux-2.6.19.1/arch/sparc64/mm/init.c
@@ -872,6 +872,115 @@ static unsigned long __init choose_bootm
 	prom_halt();
 }
 
+static void __init trim_pavail(unsigned long *cur_size_p,
+			       unsigned long *end_of_phys_p)
+{
+	unsigned long to_trim = *cur_size_p - cmdline_memory_size;
+	unsigned long avoid_start, avoid_end;
+	int i;
+
+	to_trim = PAGE_ALIGN(to_trim);
+
+	avoid_start = avoid_end = 0;
+#ifdef CONFIG_BLK_DEV_INITRD
+	avoid_start = initrd_start;
+	avoid_end = PAGE_ALIGN(initrd_end);
+#endif
+
+	/* Trim some pavail[] entries in order to satisfy the
+	 * requested "mem=xxx" kernel command line specification.
+	 *
+	 * We must not trim off the kernel image area nor the
+	 * initial ramdisk range (if any).  Also, we must not trim
+	 * any pavail[] entry down to zero in order to preserve
+	 * the invariant that all pavail[] entries have a non-zero
+	 * size which is assumed by all of the code in here.
+	 */
+	for (i = 0; i < pavail_ents; i++) {
+		unsigned long start, end, kern_end;
+		unsigned long trim_low, trim_high, n;
+
+		kern_end = PAGE_ALIGN(kern_base + kern_size);
+
+		trim_low = start = pavail[i].phys_addr;
+		trim_high = end = start + pavail[i].reg_size;
+
+		if (kern_base >= start &&
+		    kern_base < end) {
+			trim_low = kern_base;
+			if (kern_end >= end)
+				continue;
+		}
+		if (kern_end >= start &&
+		    kern_end < end) {
+			trim_high = kern_end;
+		}
+		if (avoid_start &&
+		    avoid_start >= start &&
+		    avoid_start < end) {
+			if (trim_low > avoid_start)
+				trim_low = avoid_start;
+			if (avoid_end >= end)
+				continue;
+		}
+		if (avoid_end &&
+		    avoid_end >= start &&
+		    avoid_end < end) {
+			if (trim_high < avoid_end)
+				trim_high = avoid_end;
+		}
+
+		if (trim_high <= trim_low)
+			continue;
+
+		if (trim_low == start && trim_high == end) {
+			/* Whole chunk is available for trimming.
+			 * Trim all except one page, in order to keep
+			 * entry non-empty.
+			 */
+			n = (end - start) - PAGE_SIZE;
+			if (n > to_trim)
+				n = to_trim;
+
+			if (n) {
+				pavail[i].phys_addr += n;
+				pavail[i].reg_size -= n;
+				to_trim -= n;
+			}
+		} else {
+			n = (trim_low - start);
+			if (n > to_trim)
+				n = to_trim;
+
+			if (n) {
+				pavail[i].phys_addr += n;
+				pavail[i].reg_size -= n;
+				to_trim -= n;
+			}
+			if (to_trim) {
+				n = end - trim_high;
+				if (n > to_trim)
+					n = to_trim;
+				if (n) {
+					pavail[i].reg_size -= n;
+					to_trim -= n;
+				}
+			}
+		}
+
+		if (!to_trim)
+			break;
+	}
+
+	/* Recalculate.  */
+	*cur_size_p = 0UL;
+	for (i = 0; i < pavail_ents; i++) {
+		*end_of_phys_p = pavail[i].phys_addr +
+			pavail[i].reg_size;
+		*cur_size_p += pavail[i].reg_size;
+	}
+}
+
 static unsigned long __init bootmem_init(unsigned long *pages_avail,
 					 unsigned long phys_base)
 {
@@ -889,31 +998,13 @@ static unsigned long __init bootmem_init
 		end_of_phys_memory = pavail[i].phys_addr +
 			pavail[i].reg_size;
 		bytes_avail += pavail[i].reg_size;
-		if (cmdline_memory_size) {
-			if (bytes_avail > cmdline_memory_size) {
-				unsigned long slack = bytes_avail - cmdline_memory_size;
-
-				bytes_avail -= slack;
-				end_of_phys_memory -= slack;
-
-				pavail[i].reg_size -= slack;
-				if ((long)pavail[i].reg_size <= 0L) {
-					pavail[i].phys_addr = 0xdeadbeefUL;
-					pavail[i].reg_size = 0UL;
-					pavail_ents = i;
-				} else {
-					pavail[i+1].reg_size = 0Ul;
-					pavail[i+1].phys_addr = 0xdeadbeefUL;
-					pavail_ents = i + 1;
-				}
-				break;
-			}
-		}
 	}
 
-	*pages_avail = bytes_avail >> PAGE_SHIFT;
-
-	end_pfn = end_of_phys_memory >> PAGE_SHIFT;
+	/* Determine the location of the initial ramdisk before trying
+	 * to honor the "mem=xxx" command line argument.  We must know
+	 * where the kernel image and the ramdisk image are so that we
+	 * do not trim those two areas from the physical memory map.
+	 */
 
 #ifdef CONFIG_BLK_DEV_INITRD
 	/* Now have to check initial ramdisk, so that bootmap does not overwrite it */
@@ -932,6 +1023,16 @@ static unsigned long __init bootmem_init
 		}
 	}
 #endif	
+
+	if (cmdline_memory_size &&
+	    bytes_avail > cmdline_memory_size)
+		trim_pavail(&bytes_avail,
+			    &end_of_phys_memory);
+
+	*pages_avail = bytes_avail >> PAGE_SHIFT;
+
+	end_pfn = end_of_phys_memory >> PAGE_SHIFT;
+
 	/* Initialize the boot-time allocator. */
 	max_pfn = max_low_pfn = end_pfn;
 	min_low_pfn = (phys_base >> PAGE_SHIFT);

--

[patch 35/50] SPARC64: Handle ISA devices with no regs property.

[Chris Wright]

[-- Attachment #1: sparc64-handle-isa-devices-with-no-regs-property.patch --]
[-- Type: text/plain, Size: 2668 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Miller <davem@davemloft.net>

And this points out that the return value from
isa_dev_get_resource() and the 'pregs' arg to
isa_dev_get_irq() are totally unused.

Based upon a patch from Richard Mortimer <richm@oldelvet.org.uk>

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 arch/sparc64/kernel/isa.c |   20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

--- linux-2.6.19.1.orig/arch/sparc64/kernel/isa.c
+++ linux-2.6.19.1/arch/sparc64/kernel/isa.c
@@ -22,14 +22,15 @@ static void __init report_dev(struct spa
 		printk(" [%s", isa_dev->prom_node->name);
 }
 
-static struct linux_prom_registers * __init
-isa_dev_get_resource(struct sparc_isa_device *isa_dev)
+static void __init isa_dev_get_resource(struct sparc_isa_device *isa_dev)
 {
 	struct linux_prom_registers *pregs;
 	unsigned long base, len;
 	int prop_len;
 
 	pregs = of_get_property(isa_dev->prom_node, "reg", &prop_len);
+	if (!pregs)
+		return;
 
 	/* Only the first one is interesting. */
 	len = pregs[0].reg_size;
@@ -44,12 +45,9 @@ isa_dev_get_resource(struct sparc_isa_de
 
 	request_resource(&isa_dev->bus->parent->io_space,
 			 &isa_dev->resource);
-
-	return pregs;
 }
 
-static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev,
-				   struct linux_prom_registers *pregs)
+static void __init isa_dev_get_irq(struct sparc_isa_device *isa_dev)
 {
 	struct of_device *op = of_find_device_by_node(isa_dev->prom_node);
 
@@ -69,7 +67,6 @@ static void __init isa_fill_children(str
 
 	printk(" ->");
 	while (dp) {
-		struct linux_prom_registers *regs;
 		struct sparc_isa_device *isa_dev;
 
 		isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -87,8 +84,8 @@ static void __init isa_fill_children(str
 		isa_dev->bus = parent_isa_dev->bus;
 		isa_dev->prom_node = dp;
 
-		regs = isa_dev_get_resource(isa_dev);
-		isa_dev_get_irq(isa_dev, regs);
+		isa_dev_get_resource(isa_dev);
+		isa_dev_get_irq(isa_dev);
 
 		report_dev(isa_dev, 1);
 
@@ -101,7 +98,6 @@ static void __init isa_fill_devices(stru
 	struct device_node *dp = isa_br->prom_node->child;
 
 	while (dp) {
-		struct linux_prom_registers *regs;
 		struct sparc_isa_device *isa_dev;
 
 		isa_dev = kmalloc(sizeof(*isa_dev), GFP_KERNEL);
@@ -141,8 +137,8 @@ static void __init isa_fill_devices(stru
 		isa_dev->bus = isa_br;
 		isa_dev->prom_node = dp;
 
-		regs = isa_dev_get_resource(isa_dev);
-		isa_dev_get_irq(isa_dev, regs);
+		isa_dev_get_resource(isa_dev);
+		isa_dev_get_irq(isa_dev);
 
 		report_dev(isa_dev, 0);
 

--

[patch 36/50] NET: Dont export linux/random.h outside __KERNEL__

[Chris Wright]

[-- Attachment #1: net-don-t-export-linux-random.h-outside-__kernel__.patch --]
[-- Type: text/plain, Size: 997 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Woodhouse <dwmw2@infradead.org>

Don't add it there please; add it lower down inside the existing #ifdef
__KERNEL__. You just made the _userspace_ net.h include random.h, which
then fails to compile unless <asm/types.h> was already included.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 include/linux/net.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/include/linux/net.h
+++ linux-2.6.19.1/include/linux/net.h
@@ -19,7 +19,6 @@
 #define _LINUX_NET_H
 
 #include <linux/wait.h>
-#include <linux/random.h>
 #include <asm/socket.h>
 
 struct poll_table_struct;
@@ -57,6 +56,7 @@ typedef enum {
 
 #ifdef __KERNEL__
 #include <linux/stringify.h>
+#include <linux/random.h>
 
 #define SOCK_ASYNC_NOSPACE	0
 #define SOCK_ASYNC_WAITDATA	1

--

[patch 37/50] sparc32: add offset in pci_map_sg()

[Chris Wright]

[-- Attachment #1: sparc32-add-offset-in-pci_map_sg.patch --]
[-- Type: text/plain, Size: 1157 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Jan Andersson <jan.andersson@ieee.org>

Add sg->offset to sg->dvma_address in pci_map_sg() on sparc32.  Without the
offset, transfers to buffers that do not begin on a page boundary will not
work as expected.

Signed-off-by: Jan Andersson <jan.andersson@ieee.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: William Lee Irwin III <wli@holomorphy.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 arch/sparc/kernel/ioport.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.19.1.orig/arch/sparc/kernel/ioport.c
+++ linux-2.6.19.1/arch/sparc/kernel/ioport.c
@@ -728,7 +728,8 @@ int pci_map_sg(struct pci_dev *hwdev, st
 	/* IIep is write-through, not flushing. */
 	for (n = 0; n < nents; n++) {
 		BUG_ON(page_address(sg->page) == NULL);
-		sg->dvma_address = virt_to_phys(page_address(sg->page));
+		sg->dvma_address =
+			virt_to_phys(page_address(sg->page)) + sg->offset;
 		sg->dvma_length = sg->length;
 		sg++;
 	}

--

[patch 38/50] VM: Fix nasty and subtle race in shared mmaped page writeback

[Chris Wright]

[-- Attachment #1: vm-fix-nasty-and-subtle-race-in-shared-mmap-ed-page-writeback.patch --]
[-- Type: text/plain, Size: 4512 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Linus Torvalds <torvalds@macmini.osdl.org>

The VM layer (on the face of it, fairly reasonably) expected that when
it does a ->writepage() call to the filesystem, it would write out the
full page at that point in time.  Especially since it had earlier marked
the whole page dirty with "set_page_dirty()".

But that isn't actually the case: ->writepage() does not actually write
a page, it writes the parts of the page that have been explicitly marked
dirty before, *and* that had not got written out for other reasons since
the last time we told it they were dirty.

That last caveat is the important one.

Which _most_ of the time ends up being the whole page (since we had
called "set_page_dirty()" on the page earlier), but if the filesystem
had done any dirty flushing of its own (for example, to honor some
internal write ordering guarantees), it might end up doing only a
partial page IO (or none at all) when ->writepage() is actually called.

That is the correct thing in general (since we actually often _want_
only the known-dirty parts of the page to be written out), but the
shared dirty page handling had implicitly forgotten about these details,
and had a number of cases where it was doing just the "->writepage()"
part, without telling the low-level filesystem that the whole page might
have been re-dirtied as part of being mapped writably into user space.

Since most of the time the FS did actually write out the full page, we
didn't notice this for a loong time, and this needed some really odd
patterns to trigger.  But it caused occasional corruption with rtorrent
and with the Debian "apt" database, because both use shared mmaps to
update the end result.

This fixes it. Finally. After way too much hair-pulling.

Acked-by: Nick Piggin <nickpiggin@yahoo.com.au>
Acked-by: Martin J. Bligh <mbligh@google.com>
Acked-by: Martin Michlmayr <tbm@cyrius.com>
Acked-by: Martin Johansson <martin@fatbob.nu>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Andrei Popa <andrei.popa@i-neo.ro>
Cc: High Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>,
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Segher Boessenkool <segher@kernel.crashing.org>
Cc: David Miller <davem@davemloft.net>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Gordon Farquharson <gordonfarquharson@gmail.com>
Cc: Guillaume Chazarain <guichaz@yahoo.fr>
Cc: Theodore Tso <tytso@mit.edu>
Cc: Kenneth Cheng <kenneth.w.chen@intel.com>
Cc: Tobias Diedrich <ranma@tdiedrich.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[chrisw: backport to 2.6.19.1]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 mm/page-writeback.c |   39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

--- linux-2.6.19.1.orig/mm/page-writeback.c
+++ linux-2.6.19.1/mm/page-writeback.c
@@ -893,12 +893,41 @@ int clear_page_dirty_for_io(struct page 
 {
 	struct address_space *mapping = page_mapping(page);
 
-	if (mapping) {
+	if (mapping && mapping_cap_account_dirty(mapping)) {
+		/*
+		 * Yes, Virginia, this is indeed insane.
+		 *
+		 * We use this sequence to make sure that
+		 *  (a) we account for dirty stats properly
+		 *  (b) we tell the low-level filesystem to
+		 *      mark the whole page dirty if it was
+		 *      dirty in a pagetable. Only to then
+		 *  (c) clean the page again and return 1 to
+		 *      cause the writeback.
+		 *
+		 * This way we avoid all nasty races with the
+		 * dirty bit in multiple places and clearing
+		 * them concurrently from different threads.
+		 *
+		 * Note! Normally the "set_page_dirty(page)"
+		 * has no effect on the actual dirty bit - since
+		 * that will already usually be set. But we
+		 * need the side effects, and it can help us
+		 * avoid races.
+		 *
+		 * We basically use the page "master dirty bit"
+		 * as a serialization point for all the different
+		 * threads doing their things.
+		 *
+		 * FIXME! We still have a race here: if somebody
+		 * adds the page back to the page tables in
+		 * between the "page_mkclean()" and the "TestClearPageDirty()",
+		 * we might have it mapped without the dirty bit set.
+		 */
+		if (page_mkclean(page))
+			set_page_dirty(page);
 		if (TestClearPageDirty(page)) {
-			if (mapping_cap_account_dirty(mapping)) {
-				page_mkclean(page);
-				dec_zone_page_state(page, NR_FILE_DIRTY);
-			}
+			dec_zone_page_state(page, NR_FILE_DIRTY);
 			return 1;
 		}
 		return 0;

--

[patch 39/50] V4L: cx2341x: audio_properties is an u16, not u8

[Chris Wright]

[-- Attachment #1: v4l-cx2341x-audio_properties-is-an-u16-not-u8.patch --]
[-- Type: text/plain, Size: 948 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Hans Verkuil <hverkuil@xs4all.nl>

This bug broke the MPEG audio mode controls.

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
(cherry picked from commit cb2c7b4927c8f376b7ba9557978d8c59ed472664)

 include/media/cx2341x.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/include/media/cx2341x.h
+++ linux-2.6.19.1/include/media/cx2341x.h
@@ -49,7 +49,7 @@ struct cx2341x_mpeg_params {
 	enum v4l2_mpeg_audio_mode_extension audio_mode_extension;
 	enum v4l2_mpeg_audio_emphasis audio_emphasis;
 	enum v4l2_mpeg_audio_crc audio_crc;
-	u8 audio_properties;
+	u16 audio_properties;
 
 	/* video */
 	enum v4l2_mpeg_video_encoding video_encoding;

--

[patch 40/50] dvb-core: fix bug in CRC-32 checking on 64-bit systems

[Chris Wright]

[-- Attachment #1: dvb-core-fix-bug-in-crc-32-checking-on-64-bit-systems.patch --]
[-- Type: text/plain, Size: 1892 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Ang Way Chuang <wcang@nrg.cs.usm.my>

CRC-32 checking during ULE decapsulation always failed on x86_64 systems due
to the size of a variable used to store CRC. This bug was discovered on
Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
problem. This patch has been tested on 64-bit system as well as 32-bit system.

Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
(cherry picked from commit dedcefb085fe98a1feaf63590fe2fc7e0ecb1987)

 drivers/media/dvb/dvb-core/dvb_net.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/drivers/media/dvb/dvb-core/dvb_net.c
+++ linux-2.6.19.1/drivers/media/dvb/dvb-core/dvb_net.c
@@ -604,7 +604,7 @@ static void dvb_net_ule( struct net_devi
 				{ &utype, sizeof utype },
 				{ priv->ule_skb->data, priv->ule_skb->len - 4 }
 			};
-			unsigned long ule_crc = ~0L, expected_crc;
+			u32 ule_crc = ~0L, expected_crc;
 			if (priv->ule_dbit) {
 				/* Set D-bit for CRC32 verification,
 				 * if it was set originally. */
@@ -617,7 +617,7 @@ static void dvb_net_ule( struct net_devi
 				       *((u8 *)priv->ule_skb->tail - 2) << 8 |
 				       *((u8 *)priv->ule_skb->tail - 1);
 			if (ule_crc != expected_crc) {
-				printk(KERN_WARNING "%lu: CRC32 check FAILED: %#lx / %#lx, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n",
+				printk(KERN_WARNING "%lu: CRC32 check FAILED: %08x / %08x, SNDU len %d type %#x, ts_remain %d, next 2: %x.\n",
 				       priv->ts_count, ule_crc, expected_crc, priv->ule_sndu_len, priv->ule_sndu_type, ts_remain, ts_remain > 2 ? *(unsigned short *)from_where : 0);
 
 #ifdef ULE_DEBUG

--

[patch 41/50] V4L: cx88: Fix leadtek_eeprom tagging

[Chris Wright]

[-- Attachment #1: v4l-cx88-fix-leadtek_eeprom-tagging.patch --]
[-- Type: text/plain, Size: 1307 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Jean Delvare <khali@linux-fr.org>

reference to .init.text: from .text between 'cx88_card_setup'
(at offset 0x68c) and 'cx88_risc_field'
Caused by leadtek_eeprom() being declared __devinit and called from
a non-devinit context.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
(cherry picked from commit 69f7e75a9d45e5eaca16917a8d0dedf76149f13f)

 drivers/media/video/cx88/cx88-cards.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/media/video/cx88/cx88-cards.c
+++ linux-2.6.19.1/drivers/media/video/cx88/cx88-cards.c
@@ -1610,7 +1610,7 @@ const unsigned int cx88_idcount = ARRAY_
 /* ----------------------------------------------------------------------- */
 /* some leadtek specific stuff                                             */
 
-static void __devinit leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
+static void leadtek_eeprom(struct cx88_core *core, u8 *eeprom_data)
 {
 	/* This is just for the "Winfast 2000XP Expert" board ATM; I don't have data on
 	 * any others.

--

[patch 42/50] ebtables: dont compute gap before checking struct type

[Chris Wright]

[-- Attachment #1: ebtables-don-t-compute-gap-before-checking-struct-type.patch --]
[-- Type: text/plain, Size: 1333 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Chuck Ebbert <76306.1226@compuserve.com>

We cannot compute the gap until we know we have a 'struct ebt_entry'
and not 'struct ebt_entries'.  Failure to check can cause crash.

Tested-by: Santiago Garcia Mantinan <manty@manty.net>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/bridge/netfilter/ebtables.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.19.1.orig/net/bridge/netfilter/ebtables.c
+++ linux-2.6.19.1/net/bridge/netfilter/ebtables.c
@@ -575,7 +575,7 @@ ebt_check_entry(struct ebt_entry *e, str
 	struct ebt_entry_target *t;
 	struct ebt_target *target;
 	unsigned int i, j, hook = 0, hookmask = 0;
-	size_t gap = e->next_offset - e->target_offset;
+	size_t gap;
 	int ret;
 
 	/* don't mess with the struct ebt_entries */
@@ -625,6 +625,7 @@ ebt_check_entry(struct ebt_entry *e, str
 	if (ret != 0)
 		goto cleanup_watchers;
 	t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
+	gap = e->next_offset - e->target_offset;
 	target = find_target_lock(t->u.name, &ret, &ebt_mutex);
 	if (!target)
 		goto cleanup_watchers;

--

[patch 43/50] SOUND: Sparc CS4231: Fix IRQ return value and initialization.

[Chris Wright]

[-- Attachment #1: sound-sparc-cs4231-fix-irq-return-value-and-initialization.patch --]
[-- Type: text/plain, Size: 2580 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Georg Chini <georg.chini@triaton-webhosting.com>

fix some initialisation problems.

Change period_bytes_min from 4096 to 256 to allow driver to work with
low latency (VOIP) applications. Hope this does not break EBUS.

Signed-off-by: Georg Chini <georg.chini@triaton-webhosting.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
commit d35a1b9e10481c9f1d3b87e778a0f1f6a0a2dd48

 sound/sparc/cs4231.c |   26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
+++ linux-2.6.19.1/sound/sparc/cs4231.c
@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
 	.channels_min		= 1,
 	.channels_max		= 2,
 	.buffer_bytes_max	= (32*1024),
-	.period_bytes_min	= 4096,
+	.period_bytes_min	= 256,
 	.period_bytes_max	= (32*1024),
 	.periods_min		= 1,
 	.periods_max		= 1024,
@@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423
 	.channels_min		= 1,
 	.channels_max		= 2,
 	.buffer_bytes_max	= (32*1024),
-	.period_bytes_min	= 4096,
+	.period_bytes_min	= 256,
 	.period_bytes_max	= (32*1024),
 	.periods_min		= 1,
 	.periods_max		= 1024,
@@ -1796,7 +1796,7 @@ static irqreturn_t snd_cs4231_sbus_inter
 	snd_cs4231_outm(chip, CS4231_IRQ_STATUS, ~CS4231_ALL_IRQS | ~status, 0);
 	spin_unlock_irqrestore(&chip->lock, flags);
 
-	return 0;
+	return IRQ_HANDLED;
 }
 
 /*
@@ -1821,7 +1821,6 @@ static int sbus_dma_request(struct cs423
 	if (!(csr & test))
 		goto out;
 	err = -EBUSY;
-	csr = sbus_readl(base->regs + APCCSR);
 	test = APC_XINT_CNVA;
 	if ( base->dir == APC_PLAY )
 		test = APC_XINT_PNVA;
@@ -1862,17 +1861,16 @@ static void sbus_dma_enable(struct cs423
 
 	spin_lock_irqsave(&base->lock, flags);
 	if (!on) {
-		if (base->dir == APC_PLAY) { 
-			sbus_writel(0, base->regs + base->dir + APCNVA); 
-			sbus_writel(1, base->regs + base->dir + APCC); 
-		}
-		else
-		{
-			sbus_writel(0, base->regs + base->dir + APCNC); 
-			sbus_writel(0, base->regs + base->dir + APCVA); 
-		} 
+		sbus_writel(0, base->regs + base->dir + APCNC);
+		sbus_writel(0, base->regs + base->dir + APCNVA);
+		sbus_writel(0, base->regs + base->dir + APCC);
+		sbus_writel(0, base->regs + base->dir + APCVA);
+
+		/* ACK any APC interrupts. */
+		csr = sbus_readl(base->regs + APCCSR);
+		sbus_writel(csr, base->regs + APCCSR);
 	} 
-	udelay(600); 
+	udelay(1000);
 	csr = sbus_readl(base->regs + APCCSR);
 	shift = 0;
 	if ( base->dir == APC_PLAY )

--

[patch 44/50] SOUND: Sparc CS4231: Use 64 for period_bytes_min

[Chris Wright]

[-- Attachment #1: sound-sparc-cs4231-use-64-for-period_bytes_min.patch --]
[-- Type: text/plain, Size: 1082 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Miller <davem@davemloft.net>

    
This matches what the ISA cs4231 driver uses.

Tested by Georg Chini.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
commit f9af1d9deaaffe6803dec693748498886915d766

 sound/sparc/cs4231.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
+++ linux-2.6.19.1/sound/sparc/cs4231.c
@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
 	.channels_min		= 1,
 	.channels_max		= 2,
 	.buffer_bytes_max	= (32*1024),
-	.period_bytes_min	= 256,
+	.period_bytes_min	= 64,
 	.period_bytes_max	= (32*1024),
 	.periods_min		= 1,
 	.periods_max		= 1024,
@@ -1288,7 +1288,7 @@ static struct snd_pcm_hardware snd_cs423
 	.channels_min		= 1,
 	.channels_max		= 2,
 	.buffer_bytes_max	= (32*1024),
-	.period_bytes_min	= 256,
+	.period_bytes_min	= 64,
 	.period_bytes_max	= (32*1024),
 	.periods_min		= 1,
 	.periods_max		= 1024,

--

[patch 45/50] IPV4/IPV6: Fix inet{,6} device initialization order.

[Chris Wright]

[-- Attachment #1: ipv4-ipv6-fix-inet-6-device-initialization-order.patch --]
[-- Type: text/plain, Size: 1920 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David L Stevens <dlstevens@us.ibm.com>

It is important that we only assign dev->ip{,6}_ptr
only after all portions of the inet{,6} are setup.

Otherwise we can receive packets before the multicast
spinlocks et al. are initialized.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
commit 30c4cf577fb5b68c16e5750d6bdbd7072e42b279

 net/ipv4/devinet.c  |    5 +++--
 net/ipv6/addrconf.c |    4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

--- linux-2.6.19.1.orig/net/ipv4/devinet.c
+++ linux-2.6.19.1/net/ipv4/devinet.c
@@ -165,9 +165,8 @@ struct in_device *inetdev_init(struct ne
 			      NET_IPV4_NEIGH, "ipv4", NULL, NULL);
 #endif
 
-	/* Account for reference dev->ip_ptr */
+	/* Account for reference dev->ip_ptr (below) */
 	in_dev_hold(in_dev);
-	rcu_assign_pointer(dev->ip_ptr, in_dev);
 
 #ifdef CONFIG_SYSCTL
 	devinet_sysctl_register(in_dev, &in_dev->cnf);
@@ -176,6 +175,8 @@ struct in_device *inetdev_init(struct ne
 	if (dev->flags & IFF_UP)
 		ip_mc_up(in_dev);
 out:
+	/* we can receive as soon as ip_ptr is set -- do this last */
+	rcu_assign_pointer(dev->ip_ptr, in_dev);
 	return in_dev;
 out_kfree:
 	kfree(in_dev);
--- linux-2.6.19.1.orig/net/ipv6/addrconf.c
+++ linux-2.6.19.1/net/ipv6/addrconf.c
@@ -413,8 +413,6 @@ static struct inet6_dev * ipv6_add_dev(s
 	if (netif_carrier_ok(dev))
 		ndev->if_flags |= IF_READY;
 
-	/* protected by rtnl_lock */
-	rcu_assign_pointer(dev->ip6_ptr, ndev);
 
 	ipv6_mc_init_dev(ndev);
 	ndev->tstamp = jiffies;
@@ -425,6 +423,8 @@ static struct inet6_dev * ipv6_add_dev(s
 			      NULL);
 	addrconf_sysctl_register(ndev, &ndev->cnf);
 #endif
+	/* protected by rtnl_lock */
+	rcu_assign_pointer(dev->ip6_ptr, ndev);
 	return ndev;
 }
 

--

[patch 46/50] asix: Fix typo for AX88772 PHY Selection

[Chris Wright]

[-- Attachment #1: asix-fix-typo-for-ax88772-phy-selection.patch --]
[-- Type: text/plain, Size: 1140 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: David Hollis <dhollis@davehollis.com>

The attached patch fixes a PHY selection problem that prevents AX88772
based devices (Linksys USB200Mv2, etc) devices from working.  The
interface comes up and everything seems fine except the device doesn't
send/receive any packets.  The one-liner attached fixes this issue and
makes the devices usable again.

Signed-off-by: David Hollis <dhollis@davehollis.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Patch has already been applied for 2.6.20+ kernels but it would be very
helpful for end-users/distributions to have this fixed in the 2.6.19
series as well.

 drivers/usb/net/asix.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.19.1.orig/drivers/usb/net/asix.c
+++ linux-2.6.19.1/drivers/usb/net/asix.c
@@ -920,7 +920,7 @@ static int ax88772_bind(struct usbnet *d
 		goto out2;
 
 	if ((ret = asix_write_cmd(dev, AX_CMD_SW_PHY_SELECT,
-				0x0000, 0, 0, buf)) < 0) {
+				1, 0, 0, buf)) < 0) {
 		dbg("Select PHY #1 failed: %d", ret);
 		goto out2;
 	}

--

[patch 47/50] NetLabel: correctly fill in unused CIPSOv4 level and category mappings

[Chris Wright]

[-- Attachment #1: netlabel-correctly-fill-in-unused-cipsov4-level-and-category-mappings.patch --]
[-- Type: text/plain, Size: 2130 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Paul Moore <paul.moore@hp.com>

Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value.  The result
is the mappings data in the kernel contains bogus mappings which always map to
zero.  Having level and category mappings that map to zero could result in the
kernel assigning incorrect security attributes to packets.

This patch restores the old/correct behavior by initializing the mapping
data to the correct sentinel value.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/netlabel/netlabel_cipso_v4.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- linux-2.6.19.1.orig/net/netlabel/netlabel_cipso_v4.c
+++ linux-2.6.19.1/net/netlabel/netlabel_cipso_v4.c
@@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct
 	struct nlattr *nla_b;
 	int nla_a_rem;
 	int nla_b_rem;
+	u32 iter;
 
 	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
 	    !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
@@ -223,6 +224,10 @@ static int netlbl_cipsov4_add_std(struct
 		ret_val = -ENOMEM;
 		goto add_std_failure;
 	}
+	for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
+		doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
+	for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
+		doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
 	nla_for_each_nested(nla_a,
 			    info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
 			    nla_a_rem)
@@ -296,6 +301,10 @@ static int netlbl_cipsov4_add_std(struct
 			ret_val = -ENOMEM;
 			goto add_std_failure;
 		}
+		for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
+			doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
+		for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
+			doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
 		nla_for_each_nested(nla_a,
 				    info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
 				    nla_a_rem)

--

[patch 48/50] connector: some fixes for ia64 unaligned access errors

[Chris Wright]

[-- Attachment #1: connector-some-fixes-for-ia64-unaligned-access-errors.patch --]
[-- Type: text/plain, Size: 3112 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Erik Jacobson <erikj@sgi.com>

On ia64, the various functions that make up cn_proc.c cause kernel
unaligned access errors.

If you are using these, for example, to get notification about all tasks
forking and exiting, you get multiple unaligned access errors per process.

Use put_unaligned() in the appropriate palces to fix this.

Signed-off-by: Erik Jacobson <erikj@sgi.com>
Cc: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Cc: Tony Luck <tony.luck@intel.com>
Cc: <stable@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/connector/cn_proc.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- linux-2.6.19.1.orig/drivers/connector/cn_proc.c
+++ linux-2.6.19.1/drivers/connector/cn_proc.c
@@ -28,6 +28,7 @@
 #include <linux/init.h>
 #include <linux/connector.h>
 #include <asm/atomic.h>
+#include <asm/unaligned.h>
 
 #include <linux/cn_proc.h>
 
@@ -60,7 +61,7 @@ void proc_fork_connector(struct task_str
 	ev = (struct proc_event*)msg->data;
 	get_seq(&msg->seq, &ev->cpu);
 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
-	ev->timestamp_ns = timespec_to_ns(&ts);
+	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
 	ev->what = PROC_EVENT_FORK;
 	ev->event_data.fork.parent_pid = task->real_parent->pid;
 	ev->event_data.fork.parent_tgid = task->real_parent->tgid;
@@ -88,7 +89,7 @@ void proc_exec_connector(struct task_str
 	ev = (struct proc_event*)msg->data;
 	get_seq(&msg->seq, &ev->cpu);
 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
-	ev->timestamp_ns = timespec_to_ns(&ts);
+	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
 	ev->what = PROC_EVENT_EXEC;
 	ev->event_data.exec.process_pid = task->pid;
 	ev->event_data.exec.process_tgid = task->tgid;
@@ -124,7 +125,7 @@ void proc_id_connector(struct task_struc
 	     	return;
 	get_seq(&msg->seq, &ev->cpu);
 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
-	ev->timestamp_ns = timespec_to_ns(&ts);
+	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
 
 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
 	msg->ack = 0; /* not used */
@@ -146,7 +147,7 @@ void proc_exit_connector(struct task_str
 	ev = (struct proc_event*)msg->data;
 	get_seq(&msg->seq, &ev->cpu);
 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
-	ev->timestamp_ns = timespec_to_ns(&ts);
+	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
 	ev->what = PROC_EVENT_EXIT;
 	ev->event_data.exit.process_pid = task->pid;
 	ev->event_data.exit.process_tgid = task->tgid;
@@ -181,7 +182,7 @@ static void cn_proc_ack(int err, int rcv
 	ev = (struct proc_event*)msg->data;
 	msg->seq = rcvd_seq;
 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
-	ev->timestamp_ns = timespec_to_ns(&ts);
+	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
 	ev->cpu = -1;
 	ev->what = PROC_EVENT_NONE;
 	ev->event_data.ack.err = err;

--

[patch 49/50] fix OOM killing of swapoff

[Chris Wright]

[-- Attachment #1: fix-oom-killing-of-swapoff.patch --]
[-- Type: text/plain, Size: 1504 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Hugh Dickins <hugh@veritas.com>

These days, if you swapoff when there isn't enough memory, OOM killer gives
"BUG: scheduling while atomic" and the machine hangs: badness() needs to do
its PF_SWAPOFF return after the task_unlock (tasklist_lock is also held
here, so p isn't going to be freed: PF_SWAPOFF might get turned off at any
moment, but that doesn't really matter).

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 mm/oom_kill.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- linux-2.6.19.1.orig/mm/oom_kill.c
+++ linux-2.6.19.1/mm/oom_kill.c
@@ -61,12 +61,6 @@ unsigned long badness(struct task_struct
 	}
 
 	/*
-	 * swapoff can easily use up all memory, so kill those first.
-	 */
-	if (p->flags & PF_SWAPOFF)
-		return ULONG_MAX;
-
-	/*
 	 * The memory size of the process is the basis for the badness.
 	 */
 	points = mm->total_vm;
@@ -77,6 +71,12 @@ unsigned long badness(struct task_struct
 	task_unlock(p);
 
 	/*
+	 * swapoff can easily use up all memory, so kill those first.
+	 */
+	if (p->flags & PF_SWAPOFF)
+		return ULONG_MAX;
+
+	/*
 	 * Processes which fork a lot of child processes are likely
 	 * a good choice. We add half the vmsize of the children if they
 	 * have an own mm. This prevents forking servers to flood the

--

[patch 50/50] Fix incorrect user space access locking in mincore() (CVE-2006-4814)

[Chris Wright]

[-- Attachment #1: fix-incorrect-user-space-access-locking-in-mincore.patch --]
[-- Type: text/plain, Size: 6727 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: Linus Torvalds <torvalds@woody.osdl.org>

Doug Chapman noticed that mincore() will doa "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no.  While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
schenarios with writers due to fairness issues.

Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.

Cc: Doug Chapman <dchapman@redhat.com>
Cc: Marcel Holtmann <holtmann@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>
[chrisw: fold in subsequent fix: 4fb23e439ce0]
Acked-by: Hugh Dickins <hugh@veritas.com>
[chrisw: fold in subsequent fix: 825020c3866e]
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 mm/mincore.c |  181 +++++++++++++++++++++++++----------------------------------
 1 file changed, 77 insertions(+), 104 deletions(-)

--- linux-2.6.19.1.orig/mm/mincore.c
+++ linux-2.6.19.1/mm/mincore.c
@@ -1,7 +1,7 @@
 /*
  *	linux/mm/mincore.c
  *
- * Copyright (C) 1994-1999  Linus Torvalds
+ * Copyright (C) 1994-2006  Linus Torvalds
  */
 
 /*
@@ -38,46 +38,51 @@ static unsigned char mincore_page(struct
 	return present;
 }
 
-static long mincore_vma(struct vm_area_struct * vma,
-	unsigned long start, unsigned long end, unsigned char __user * vec)
+/*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+ * just return the amount of info we're asked for.
+ */
+static long do_mincore(unsigned long addr, unsigned char *vec, unsigned long pages)
 {
-	long error, i, remaining;
-	unsigned char * tmp;
-
-	error = -ENOMEM;
-	if (!vma->vm_file)
-		return error;
-
-	start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
-	if (end > vma->vm_end)
-		end = vma->vm_end;
-	end = ((end - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
-
-	error = -EAGAIN;
-	tmp = (unsigned char *) __get_free_page(GFP_KERNEL);
-	if (!tmp)
-		return error;
-
-	/* (end - start) is # of pages, and also # of bytes in "vec */
-	remaining = (end - start),
+	unsigned long i, nr, pgoff;
+	struct vm_area_struct *vma = find_vma(current->mm, addr);
 
-	error = 0;
-	for (i = 0; remaining > 0; remaining -= PAGE_SIZE, i++) {
-		int j = 0;
-		long thispiece = (remaining < PAGE_SIZE) ?
-						remaining : PAGE_SIZE;
+	/*
+	 * find_vma() didn't find anything above us, or we're
+	 * in an unmapped hole in the address space: ENOMEM.
+	 */
+	if (!vma || addr < vma->vm_start)
+		return -ENOMEM;
 
-		while (j < thispiece)
-			tmp[j++] = mincore_page(vma, start++);
+	/*
+	 * Ok, got it. But check whether it's a segment we support
+	 * mincore() on. Right now, we don't do any anonymous mappings.
+	 *
+	 * FIXME: This is just stupid. And returning ENOMEM is 
+	 * stupid too. We should just look at the page tables. But
+	 * this is what we've traditionally done, so we'll just
+	 * continue doing it.
+	 */
+	if (!vma->vm_file)
+		return -ENOMEM;
 
-		if (copy_to_user(vec + PAGE_SIZE * i, tmp, thispiece)) {
-			error = -EFAULT;
-			break;
-		}
-	}
+	/*
+	 * Calculate how many pages there are left in the vma, and
+	 * what the pgoff is for our address.
+	 */
+	nr = (vma->vm_end - addr) >> PAGE_SHIFT;
+	if (nr > pages)
+		nr = pages;
+
+	pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+	pgoff += vma->vm_pgoff;
+
+	/* And then we just fill the sucker in.. */
+	for (i = 0 ; i < nr; i++, pgoff++)
+		vec[i] = mincore_page(vma, pgoff);
 
-	free_page((unsigned long) tmp);
-	return error;
+	return nr;
 }
 
 /*
@@ -107,82 +112,50 @@ static long mincore_vma(struct vm_area_s
 asmlinkage long sys_mincore(unsigned long start, size_t len,
 	unsigned char __user * vec)
 {
-	int index = 0;
-	unsigned long end, limit;
-	struct vm_area_struct * vma;
-	size_t max;
-	int unmapped_error = 0;
-	long error;
+	long retval;
+	unsigned long pages;
+	unsigned char *tmp;
 
-	/* check the arguments */
+	/* Check the start address: needs to be page-aligned.. */
  	if (start & ~PAGE_CACHE_MASK)
-		goto einval;
-
-	limit = TASK_SIZE;
-	if (start >= limit)
-		goto enomem;
+		return -EINVAL;
 
-	if (!len)
-		return 0;
+	/* ..and we need to be passed a valid user-space range */
+	if (!access_ok(VERIFY_READ, (void __user *) start, len))
+		return -ENOMEM;
 
-	max = limit - start;
-	len = PAGE_CACHE_ALIGN(len);
-	if (len > max || !len)
-		goto enomem;
+	/* This also avoids any overflows on PAGE_CACHE_ALIGN */
+	pages = len >> PAGE_SHIFT;
+	pages += (len & ~PAGE_MASK) != 0;
 
-	end = start + len;
+	if (!access_ok(VERIFY_WRITE, vec, pages))
+		return -EFAULT;
 
-	/* check the output buffer whilst holding the lock */
-	error = -EFAULT;
-	down_read(&current->mm->mmap_sem);
-
-	if (!access_ok(VERIFY_WRITE, vec, len >> PAGE_SHIFT))
-		goto out;
-
-	/*
-	 * If the interval [start,end) covers some unmapped address
-	 * ranges, just ignore them, but return -ENOMEM at the end.
-	 */
-	error = 0;
+	tmp = (void *) __get_free_page(GFP_USER);
+	if (!tmp)
+		return -EAGAIN;
 
-	vma = find_vma(current->mm, start);
-	while (vma) {
-		/* Here start < vma->vm_end. */
-		if (start < vma->vm_start) {
-			unmapped_error = -ENOMEM;
-			start = vma->vm_start;
-		}
+	retval = 0;
+	while (pages) {
+		/*
+		 * Do at most PAGE_SIZE entries per iteration, due to
+		 * the temporary buffer size.
+		 */
+		down_read(&current->mm->mmap_sem);
+		retval = do_mincore(start, tmp, min(pages, PAGE_SIZE));
+		up_read(&current->mm->mmap_sem);
 
-		/* Here vma->vm_start <= start < vma->vm_end. */
-		if (end <= vma->vm_end) {
-			if (start < end) {
-				error = mincore_vma(vma, start, end,
-							&vec[index]);
-				if (error)
-					goto out;
-			}
-			error = unmapped_error;
-			goto out;
+		if (retval <= 0)
+			break;
+		if (copy_to_user(vec, tmp, retval)) {
+			retval = -EFAULT;
+			break;
 		}
-
-		/* Here vma->vm_start <= start < vma->vm_end < end. */
-		error = mincore_vma(vma, start, vma->vm_end, &vec[index]);
-		if (error)
-			goto out;
-		index += (vma->vm_end - start) >> PAGE_CACHE_SHIFT;
-		start = vma->vm_end;
-		vma = vma->vm_next;
+		pages -= retval;
+		vec += retval;
+		start += retval << PAGE_SHIFT;
+		retval = 0;
 	}
-
-	/* we found a hole in the area queried if we arrive here */
-	error = -ENOMEM;
-
-out:
-	up_read(&current->mm->mmap_sem);
-	return error;
-
-einval:
-	return -EINVAL;
-enomem:
-	return -ENOMEM;
+	free_page((unsigned long) tmp);
+	return retval;
 }

--

Re: [patch 00/50] -stable review

[Chris Wright]

rollup available (when mirroring completes):

	http://www.kernel.org/pub/linux/kernel/people/chrisw/stable/patch-2.6.19.2-rc1.{gz,bz2}

Re: [patch 43/50] SOUND: Sparc CS4231: Fix IRQ return value and initialization.

[Jan Engelhardt]

>Subject: [patch 43/50] SOUND: Sparc CS4231: Fix IRQ return value and
>    initialization.
>
>--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
>+++ linux-2.6.19.1/sound/sparc/cs4231.c
>@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
> 	.channels_min		= 1,
> 	.channels_max		= 2,
> 	.buffer_bytes_max	= (32*1024),
>-	.period_bytes_min	= 4096,
>+	.period_bytes_min	= 256,
> 	.period_bytes_max	= (32*1024),
> 	.periods_min		= 1,
> 	.periods_max		= 1024,


>Subject: [patch 44/50] SOUND: Sparc CS4231: Use 64 for period_bytes_min
>--- linux-2.6.19.1.orig/sound/sparc/cs4231.c
>+++ linux-2.6.19.1/sound/sparc/cs4231.c
>@@ -1268,7 +1268,7 @@ static struct snd_pcm_hardware snd_cs423
> 	.channels_min		= 1,
> 	.channels_max		= 2,
> 	.buffer_bytes_max	= (32*1024),
>-	.period_bytes_min	= 256,
>+	.period_bytes_min	= 64,
> 	.period_bytes_max	= (32*1024),
> 	.periods_min		= 1,
> 	.periods_max		= 1024,

Can't 44 be folded into 43?


	-`J'
-- 

Re: [patch 28/50] softmac: Fixed handling of deassociation from AP

[John W. Linville]

On Fri, Jan 05, 2007 at 06:28:21PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> From: Ulrich Kunitz <kune@deine-taler.de>
> 
> In 2.6.19 a deauthentication from the AP doesn't start a
> reassociation by the softmac code. It appears that
> mac->associnfo.associating must be set and the
> ieee80211softmac_assoc_work function must be scheduled. This patch
> fixes that.
> 
> Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

ACK

-- 
John W. Linville
linville@tuxdriver.com

Re: [patch 29/50] zd1211rw: Call ieee80211_rx in tasklet

[John W. Linville]

On Fri, Jan 05, 2007 at 06:28:22PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> From: Ulrich Kunitz <kune@deine-taler.de>
> 
> [PATCH] zd1211rw: Call ieee80211_rx in tasklet
> 
> The driver called ieee80211_rx in hardware interrupt context.  This has
> been against the intention of the ieee80211_rx function.  It caused a bug
> in the crypto routines used by WPA.  This patch calls ieee80211_rx in a
> tasklet.
> 
> Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
> Signed-off-by: Andrew Morton <akpm@osdl.org>
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

ACK

-- 
John W. Linville
linville@tuxdriver.com

Re: [patch 04/50] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie

[John W. Linville]

On Fri, Jan 05, 2007 at 06:27:57PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> From: Ulrich Kunitz <kune@deine-taler.de>
> 
> ieee80211softmac_wx_get_genie locks the associnfo mutex at
> function exit. This patch fixes it. The patch is against Linus'
> tree (commit af1713e0).
> 
> Signed-off-by: Ulrich Kunitz <kune@deine-taler.de>
> Signed-off-by: Michael Buesch <mb@bu3sch.de>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

ACK

-- 
John W. Linville
linville@tuxdriver.com

Re: [patch 09/50] Revert "[PATCH] zd1211rw: Removed unneeded packed attributes"

[John W. Linville]

On Fri, Jan 05, 2007 at 06:28:02PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> From: John W. Linville <linville@tuxdriver.com>
> 
> This reverts commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7.
> 
> Quoth Daniel Drake <dsd@gentoo.org>:
> 
> "A user reported that commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7
> (Remove unneeded packed attributes) breaks the zd1211rw driver on ARM."
> 
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

ACK

-- 
John W. Linville
linville@tuxdriver.com

Re: [patch 00/50] -stable review

[Michael Krufky]

Chris Wright wrote:
> This is the start of the stable review cycle for the 2.6.19.2 release.
> There are 50 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let us know.  If anyone is a maintainer of the proper subsystem, and
> wants to add a Signed-off-by: line to the patch, please respond with it.
> 
> These patches are sent out with a number of different people on the
> Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
> to add your name to the list.  If you want to be off the reviewer list,
> also email us.
> 
> Responses should be made by Mon Jan 8 02:30 UTC.
> Anything received after that time might be too late.

At which point was 2.6.18.y dropped?  I thought we were always going to keep
the last two stable kernels up-to-date.  Have I been wasting my time fwd'ing
2.6.18.y patches?

-Mike Krufky

Re: [stable] [patch 00/50] -stable review

[Greg KH]

On Sun, Feb 04, 2007 at 01:24:18PM -0500, Michael Krufky wrote:
> Chris Wright wrote:
> > This is the start of the stable review cycle for the 2.6.19.2 release.
> > There are 50 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let us know.  If anyone is a maintainer of the proper subsystem, and
> > wants to add a Signed-off-by: line to the patch, please respond with it.
> > 
> > These patches are sent out with a number of different people on the
> > Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
> > to add your name to the list.  If you want to be off the reviewer list,
> > also email us.
> > 
> > Responses should be made by Mon Jan 8 02:30 UTC.
> > Anything received after that time might be too late.
> 
> At which point was 2.6.18.y dropped?  I thought we were always going to keep
> the last two stable kernels up-to-date.  Have I been wasting my time fwd'ing
> 2.6.18.y patches?

It was dropped a while ago, sorry.

I'll go through the archives and see if there's enough to do a .18
release (and the patches are serious enough to warrent it.)

thanks,

greg k-h

Re: [stable] [patch 00/50] -stable review

[Chris Wright]

* Greg KH (greg@kroah.com) wrote:
> On Sun, Feb 04, 2007 at 01:24:18PM -0500, Michael Krufky wrote:
> > At which point was 2.6.18.y dropped?  I thought we were always going to keep
> > the last two stable kernels up-to-date.

Not quite.  It's more of a "some overlap," so that as soon as 2.6.x
comes out we don't instantly drop 2.6.(x-1).y stream.  But we don't keep
it going, typically more 1 or 2 2.6.(x-1).y releases once 2.6.x is out.

> > Have I been wasting my time fwd'ing
> > 2.6.18.y patches?

I had actually queued them up, but we only had 1 or 2 other patches,
and they weren't significant enough to warrant flushing that queue.

thanks,
-chris

Re: [stable] [patch 00/50] -stable review

[Michael Krufky]

Greg KH wrote:
> On Sun, Feb 04, 2007 at 01:24:18PM -0500, Michael Krufky wrote:
>> Chris Wright wrote:
>>> This is the start of the stable review cycle for the 2.6.19.2 release.
>>> There are 50 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let us know.  If anyone is a maintainer of the proper subsystem, and
>>> wants to add a Signed-off-by: line to the patch, please respond with it.
>>>
>>> These patches are sent out with a number of different people on the
>>> Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
>>> to add your name to the list.  If you want to be off the reviewer list,
>>> also email us.
>>>
>>> Responses should be made by Mon Jan 8 02:30 UTC.
>>> Anything received after that time might be too late.
>> At which point was 2.6.18.y dropped?  I thought we were always going to keep
>> the last two stable kernels up-to-date.  Have I been wasting my time fwd'ing
>> 2.6.18.y patches?
> 
> It was dropped a while ago, sorry.
> 
> I'll go through the archives and see if there's enough to do a .18
> release (and the patches are serious enough to warrent it.)

Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
you don't mind holding off a day or two (wont have time to prepare these until
tomorrow evening)...  One of them is a security fix, that allows a non-root user
to hang the kernel given the correct circumstances.

Maybe you guys can make some sort of announcement before the -stable kernel is
closed.  I know that now that 2.6.20 is released, implicitly 2.6.18.y is
closed... but it's been a long while since the last 2.6.18.y release, so I
wasn't sure if patches were still being accepted.

Regards,

Michael Krufky

Re: [stable] [patch 00/50] -stable review

[Greg KH]

On Mon, Feb 05, 2007 at 02:12:33PM -0800, Chris Wright wrote:
> * Greg KH (greg@kroah.com) wrote:
> > On Sun, Feb 04, 2007 at 01:24:18PM -0500, Michael Krufky wrote:
> > > At which point was 2.6.18.y dropped?  I thought we were always going to keep
> > > the last two stable kernels up-to-date.
> 
> Not quite.  It's more of a "some overlap," so that as soon as 2.6.x
> comes out we don't instantly drop 2.6.(x-1).y stream.  But we don't keep
> it going, typically more 1 or 2 2.6.(x-1).y releases once 2.6.x is out.
> 
> > > Have I been wasting my time fwd'ing
> > > 2.6.18.y patches?
> 
> I had actually queued them up, but we only had 1 or 2 other patches,
> and they weren't significant enough to warrant flushing that queue.

I'll see if the latest stuff that is queued up and some other stuff is
worth to push out a new release in a few days.

thanks,

greg k-h

Re: [stable] [patch 00/50] -stable review

[Greg KH]

On Mon, Feb 05, 2007 at 05:16:11PM -0500, Michael Krufky wrote:
> Greg KH wrote:
> > On Sun, Feb 04, 2007 at 01:24:18PM -0500, Michael Krufky wrote:
> >> Chris Wright wrote:
> >>> This is the start of the stable review cycle for the 2.6.19.2 release.
> >>> There are 50 patches in this series, all will be posted as a response
> >>> to this one.  If anyone has any issues with these being applied, please
> >>> let us know.  If anyone is a maintainer of the proper subsystem, and
> >>> wants to add a Signed-off-by: line to the patch, please respond with it.
> >>>
> >>> These patches are sent out with a number of different people on the
> >>> Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
> >>> to add your name to the list.  If you want to be off the reviewer list,
> >>> also email us.
> >>>
> >>> Responses should be made by Mon Jan 8 02:30 UTC.
> >>> Anything received after that time might be too late.
> >> At which point was 2.6.18.y dropped?  I thought we were always going to keep
> >> the last two stable kernels up-to-date.  Have I been wasting my time fwd'ing
> >> 2.6.18.y patches?
> > 
> > It was dropped a while ago, sorry.
> > 
> > I'll go through the archives and see if there's enough to do a .18
> > release (and the patches are serious enough to warrent it.)
> 
> Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
> you don't mind holding off a day or two (wont have time to prepare these until
> tomorrow evening)...  One of them is a security fix, that allows a non-root user
> to hang the kernel given the correct circumstances.

Ok, that's serious enough :)

I'll wait for your patches.

> Maybe you guys can make some sort of announcement before the -stable kernel is
> closed.  I know that now that 2.6.20 is released, implicitly 2.6.18.y is
> closed... but it's been a long while since the last 2.6.18.y release, so I
> wasn't sure if patches were still being accepted.

I thought we did at the time we did the last release, but I'll try to
remember to highlight it a more prominently next time.

thanks,

greg k-h

Re: [stable] [patch 00/50] -stable review

[Michael Krufky]

Greg KH wrote:

>>> I'll go through the archives and see if there's enough to do a .18
>>> release (and the patches are serious enough to warrent it.)
>> Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
>> you don't mind holding off a day or two (wont have time to prepare these until
>> tomorrow evening)...  One of them is a security fix, that allows a non-root user
>> to hang the kernel given the correct circumstances.
> 
> Ok, that's serious enough :)
> 
> I'll wait for your patches.
> 
> thanks,
> 
> greg k-h

I've uploaded the remaining pending v4l/dvb -stable patches for both 2.6.18.y
and 2.6.19.y to the following locations:

http://linuxtv.org/~mkrufky/stable/2.6.18.y/ (8 patches)

and

http://linuxtv.org/~mkrufky/stable/2.6.19.y/ (5 patches)

Using the mailer at my current location, I am unable to send patches inline, and
I won't have the time for it this evening.  In the interest of saving time, I
figured that sending them to you in this method is good enough.  If you still
need for me to send them via email inline, please let me know.

Best Regards,

Michael Krufky

Re: [stable] [patch 00/50] -stable review

[Michael Krufky]

Michael Krufky wrote:
> Greg KH wrote:
> 
>>>> I'll go through the archives and see if there's enough to do a .18
>>>> release (and the patches are serious enough to warrent it.)
>>> Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
>>> you don't mind holding off a day or two (wont have time to prepare these until
>>> tomorrow evening)...  One of them is a security fix, that allows a non-root user
>>> to hang the kernel given the correct circumstances.
>> Ok, that's serious enough :)
>>
>> I'll wait for your patches.
>>
>> thanks,
>>
>> greg k-h
> 
> I've uploaded the remaining pending v4l/dvb -stable patches for both 2.6.18.y
> and 2.6.19.y to the following locations:
> 
> http://linuxtv.org/~mkrufky/stable/2.6.18.y/ (8 patches)
> 
> and
> 
> http://linuxtv.org/~mkrufky/stable/2.6.19.y/ (5 patches)
> 
> Using the mailer at my current location, I am unable to send patches inline, and
> I won't have the time for it this evening.  In the interest of saving time, I
> figured that sending them to you in this method is good enough.  If you still
> need for me to send them via email inline, please let me know.

Greg & Chris,

I haven't heard from either of you about these patches, nor have I seen any
update to the stable-queue.

Just for clarification, the security fix patch, that prevents a non-root user
from hanging the kernel is the patch entitled,

"V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockup"

...as per Mauro's description, here:

http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg113820.html

Regards,

Michael Krufky

Re: [stable] [patch 00/50] -stable review

[Greg KH]

On Fri, Feb 09, 2007 at 02:41:05PM -0500, Michael Krufky wrote:
> Michael Krufky wrote:
> > Greg KH wrote:
> > 
> >>>> I'll go through the archives and see if there's enough to do a .18
> >>>> release (and the patches are serious enough to warrent it.)
> >>> Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
> >>> you don't mind holding off a day or two (wont have time to prepare these until
> >>> tomorrow evening)...  One of them is a security fix, that allows a non-root user
> >>> to hang the kernel given the correct circumstances.
> >> Ok, that's serious enough :)
> >>
> >> I'll wait for your patches.
> >>
> >> thanks,
> >>
> >> greg k-h
> > 
> > I've uploaded the remaining pending v4l/dvb -stable patches for both 2.6.18.y
> > and 2.6.19.y to the following locations:
> > 
> > http://linuxtv.org/~mkrufky/stable/2.6.18.y/ (8 patches)
> > 
> > and
> > 
> > http://linuxtv.org/~mkrufky/stable/2.6.19.y/ (5 patches)
> > 
> > Using the mailer at my current location, I am unable to send patches inline, and
> > I won't have the time for it this evening.  In the interest of saving time, I
> > figured that sending them to you in this method is good enough.  If you still
> > need for me to send them via email inline, please let me know.
> 
> Greg & Chris,
> 
> I haven't heard from either of you about these patches, nor have I seen any
> update to the stable-queue.
> 
> Just for clarification, the security fix patch, that prevents a non-root user
> from hanging the kernel is the patch entitled,
> 
> "V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockup"
> 
> ...as per Mauro's description, here:
> 
> http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg113820.html

Thanks, I'll be flushing out the stable queue later on tonight and will
pick up all of these patches.

greg k-h

Re: [stable] [patch 00/50] -stable review

[Greg KH]

On Fri, Feb 09, 2007 at 11:51:56AM -0800, Greg KH wrote:
> On Fri, Feb 09, 2007 at 02:41:05PM -0500, Michael Krufky wrote:
> > Michael Krufky wrote:
> > > Greg KH wrote:
> > > 
> > >>>> I'll go through the archives and see if there's enough to do a .18
> > >>>> release (and the patches are serious enough to warrent it.)
> > >>> Actually, I have a few more -stable patches for both 2.6.18.y and 2.6.19.y, if
> > >>> you don't mind holding off a day or two (wont have time to prepare these until
> > >>> tomorrow evening)...  One of them is a security fix, that allows a non-root user
> > >>> to hang the kernel given the correct circumstances.
> > >> Ok, that's serious enough :)
> > >>
> > >> I'll wait for your patches.
> > >>
> > >> thanks,
> > >>
> > >> greg k-h
> > > 
> > > I've uploaded the remaining pending v4l/dvb -stable patches for both 2.6.18.y
> > > and 2.6.19.y to the following locations:
> > > 
> > > http://linuxtv.org/~mkrufky/stable/2.6.18.y/ (8 patches)
> > > 
> > > and
> > > 
> > > http://linuxtv.org/~mkrufky/stable/2.6.19.y/ (5 patches)
> > > 
> > > Using the mailer at my current location, I am unable to send patches inline, and
> > > I won't have the time for it this evening.  In the interest of saving time, I
> > > figured that sending them to you in this method is good enough.  If you still
> > > need for me to send them via email inline, please let me know.
> > 
> > Greg & Chris,
> > 
> > I haven't heard from either of you about these patches, nor have I seen any
> > update to the stable-queue.
> > 
> > Just for clarification, the security fix patch, that prevents a non-root user
> > from hanging the kernel is the patch entitled,
> > 
> > "V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockup"
> > 
> > ...as per Mauro's description, here:
> > 
> > http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg113820.html
> 
> Thanks, I'll be flushing out the stable queue later on tonight and will
> pick up all of these patches.

Ok, I've now gotten all of these for .19 and .18.

If I've missed anything, please let me know.

thanks for your patience.

greg k-h

Re: [stable] [patch 00/50] -stable review

[Michael Krufky]

Greg KH wrote:
> Ok, I've now gotten all of these for .19 and .18.
> 
> If I've missed anything, please let me know.
> 
> thanks for your patience.

Looks good... Thank you, Greg.

Greg KH wrote:
> This will probably be the last release of the 2.6.19-stable series, so
> if there are patches that you feel should be applied to that tree,
> please let me know.

Normally, I would wait for a patch to appear in Linus' tree before I send it to -stable,
however, this patch can not wait.  Since 2.6.18-stable and 2.6.19-stable have their last
releases pending review, it is imperative that this final patch be added to the queue, if
possible.

This patch was recently submitted, and fixes many horrible, previously unexplained bugs of the
past.

Please queue this for the final 2.6.18 and 2.6.19 -stable releases, as well as for 2.6.20.1

Thank you,

Michael Krufky

---

dvbdev: fix illegal re-usage of fileoperations struct

From: Marcel Siegert <mws@linuxtv.org>

 Arjan van de Ven <arjan@infradead.org> reported an illegal re-usage of the fileoperations struct
 if more than one dvb device(e.g. frontend) is present. this patch fixes this issue.
 it allocates a new fileoperations struct each time a device is registered and copies the default
 template fileops.

Signed-off-by: Marcel Siegert <mws@linuxtv.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>

---
 linux/drivers/media/dvb/dvb-core/dvbdev.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- linux/drivers/media/dvb/dvb-core/dvbdev.c.orig
+++ linux/drivers/media/dvb/dvb-core/dvbdev.c
@@ -211,6 +211,8 @@
 			const struct dvb_device *template, void *priv, int type)
 {
 	struct dvb_device *dvbdev;
+	struct file_operations *dvbdevfops;
+
 	int id;
 
 	if (mutex_lock_interruptible(&dvbdev_register_lock))
@@ -230,12 +232,22 @@
 		return -ENOMEM;
 	}
 
+	dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL);
+
+	if (!dvbdevfops) {
+		kfree (dvbdev);
+		mutex_unlock(&dvbdev_register_lock);
+		return -ENOMEM;
+	}
+
 	memcpy(dvbdev, template, sizeof(struct dvb_device));
 	dvbdev->type = type;
 	dvbdev->id = id;
 	dvbdev->adapter = adap;
 	dvbdev->priv = priv;
+	dvbdev->fops = dvbdevfops;
 
+	memcpy(dvbdev->fops, template->fops, sizeof(struct file_operations));
 	dvbdev->fops->owner = adap->module;
 
 	list_add_tail (&dvbdev->list_head, &adap->device_list);
@@ -263,6 +275,7 @@
 					dvbdev->type, dvbdev->id)));
 
 	list_del (&dvbdev->list_head);
+	kfree (dvbdev->fops);
 	kfree (dvbdev);
 }
 EXPORT_SYMBOL(dvb_unregister_device);

Re: [v4l-dvb-maintainer] Re: [stable] [patch 00/50] -stable review

[Michael Krufky]

Michael Krufky wrote:
> Greg KH wrote:
>> Ok, I've now gotten all of these for .19 and .18.
>>
>> If I've missed anything, please let me know.
>>
>> thanks for your patience.
> 
> Looks good... Thank you, Greg.
> 
> Greg KH wrote:
>> This will probably be the last release of the 2.6.19-stable series, so
>> if there are patches that you feel should be applied to that tree,
>> please let me know.
> 
> Normally, I would wait for a patch to appear in Linus' tree before I send it to -stable,
> however, this patch can not wait.  Since 2.6.18-stable and 2.6.19-stable have their last
> releases pending review, it is imperative that this final patch be added to the queue, if
> possible.

It is merged into Linus' tree now:

http://www2.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b61901024776b25ce7b8edc31bb1757c7382a88e

... The only difference is that the changeset in Linus' tree also changes some
whitespace.

Please merge this into 2.6.18.y, 2.6.19.y and 2.6.20.y

Adrian, this should also apply against 2.6.16.y

Thank you,

Michael Krufky

---

dvbdev: fix illegal re-usage of fileoperations struct

From: Marcel Siegert <mws@linuxtv.org>

 Arjan van de Ven <arjan@infradead.org> reported an illegal re-usage of the
fileoperations struct
 if more than one dvb device(e.g. frontend) is present. this patch fixes this issue.
 it allocates a new fileoperations struct each time a device is registered and
copies the default
 template fileops.

Signed-off-by: Marcel Siegert <mws@linuxtv.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>

---
 linux/drivers/media/dvb/dvb-core/dvbdev.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- linux/drivers/media/dvb/dvb-core/dvbdev.c.orig
+++ linux/drivers/media/dvb/dvb-core/dvbdev.c
@@ -211,6 +211,8 @@
 			const struct dvb_device *template, void *priv, int type)
 {
 	struct dvb_device *dvbdev;
+	struct file_operations *dvbdevfops;
+
 	int id;

 	if (mutex_lock_interruptible(&dvbdev_register_lock))
@@ -230,12 +232,22 @@
 		return -ENOMEM;
 	}

+	dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL);
+
+	if (!dvbdevfops) {
+		kfree (dvbdev);
+		mutex_unlock(&dvbdev_register_lock);
+		return -ENOMEM;
+	}
+
 	memcpy(dvbdev, template, sizeof(struct dvb_device));
 	dvbdev->type = type;
 	dvbdev->id = id;
 	dvbdev->adapter = adap;
 	dvbdev->priv = priv;
+	dvbdev->fops = dvbdevfops;

+	memcpy(dvbdev->fops, template->fops, sizeof(struct file_operations));
 	dvbdev->fops->owner = adap->module;

 	list_add_tail (&dvbdev->list_head, &adap->device_list);
@@ -263,6 +275,7 @@
 					dvbdev->type, dvbdev->id)));

 	list_del (&dvbdev->list_head);
+	kfree (dvbdev->fops);
 	kfree (dvbdev);
 }
 EXPORT_SYMBOL(dvb_unregister_device);



-- 
Michael Krufky

Re: [v4l-dvb-maintainer] Re: [stable] [patch 00/50] -stable review

[Adrian Bunk]

On Wed, Feb 21, 2007 at 04:01:03PM -0500, Michael Krufky wrote:
>...
> Adrian, this should also apply against 2.6.16.y

Thanks, applied.

> Thank you,
> 
> Michael Krufky
>...

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed