--- /dev/null
+From stable-bounces@linux.kernel.org Sat Apr 28 17:39:28 2007
+From: Len Brown <lenb@kernel.org>
+To: stable@kernel.org
+Date: Sat, 28 Apr 2007 20:37:26 -0400
+Message-Id: <200704282037.26662.lenb@kernel.org>
+Cc: linux-acpi@vger.kernel.org
+Subject: ACPI: Fix 2.6.21 boot regression on P4/HT
+
+Up through 2.6.20 we cleared the FADT.CSTATE_CONTROL field
+for FADT versions before r3, because it made no sense
+for that reserved field to be set for pre-ACPI 2.0 systems.
+
+It turns out that not clearing this field exposes
+Linux to SMM BIOS failures, so do the same in 2.6.21.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=8346
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/acpi/tables/tbfadt.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/acpi/tables/tbfadt.c
++++ linux-2.6.21.1/drivers/acpi/tables/tbfadt.c
+@@ -347,6 +347,20 @@ static void acpi_tb_convert_fadt(void)
+ acpi_gbl_xpm1b_enable.space_id = acpi_gbl_FADT.xpm1a_event_block.space_id;
+
+ }
++ /*
++ * _CST object and C States change notification start with
++ * ACPI 2.0 (FADT r3). Although the field should be Reserved
++ * and 0 before then, some pre-r3 FADT set this field and
++ * it results in SMM-related boot failures. For them, clear it.
++ */
++ if ((acpi_gbl_FADT.header.revision < 3) &&
++ (acpi_gbl_FADT.cst_control != 0)) {
++ ACPI_WARNING((AE_INFO,
++ "Ignoring BIOS FADT r%u C-state control",
++ acpi_gbl_FADT.header.revision));
++ acpi_gbl_FADT.cst_control = 0;
++ }
++
+ }
+
+ /******************************************************************************
--- /dev/null
+From stable-bounces@linux.kernel.org Fri May 11 21:38:36 2007
+Message-ID: <4644FC34.9090105@gentoo.org>
+Date: Fri, 11 May 2007 19:28:52 -0400
+From: Daniel Drake <dsd@gentoo.org>
+To: stable@kernel.org
+Cc: Takashi Iwai <tiwai@suse.de>
+Subject: ALSA: hda-codec - Fix resume of STAC92xx codecs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+Added a missing call to resume mixer controls for STAC92xx codecs.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jaroslav Kysela <perex@suse.cz>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ sound/pci/hda/patch_sigmatel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.21.1.orig/sound/pci/hda/patch_sigmatel.c
++++ linux-2.6.21.1/sound/pci/hda/patch_sigmatel.c
+@@ -1751,6 +1751,7 @@ static int stac92xx_resume(struct hda_co
+
+ stac92xx_init(codec);
+ stac92xx_set_config_regs(codec);
++ snd_hda_resume_ctls(codec, spec->mixer);
+ for (i = 0; i < spec->num_mixers; i++)
+ snd_hda_resume_ctls(codec, spec->mixers[i]);
+ if (spec->multiout.dig_out_nid)
--- /dev/null
+From stable-bounces@linux.kernel.org Fri May 4 13:59:15 2007
+From: Dan Williams <dan.j.williams@intel.com>
+To: stable@kernel.org
+Date: Fri, 04 May 2007 11:22:23 -0700
+Message-ID: <20070504182222.28946.58494.stgit@dwillia2-linux.ch.intel.com>
+Cc: rmk@arm.linux.org.uk
+Subject: arm: fix handling of svc mode undefined instructions
+
+Now that do_undefinstr handles kernel and user mode undefined
+instruction exceptions it must not assume that interrupts are enabled at
+entry.
+
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ arch/arm/kernel/traps.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/arch/arm/kernel/traps.c
++++ linux-2.6.21.1/arch/arm/kernel/traps.c
+@@ -273,6 +273,7 @@ asmlinkage void do_undefinstr(struct pt_
+ struct undef_hook *hook;
+ siginfo_t info;
+ void __user *pc;
++ unsigned long flags;
+
+ /*
+ * According to the ARM ARM, PC is 2 or 4 bytes ahead,
+@@ -291,7 +292,7 @@ asmlinkage void do_undefinstr(struct pt_
+ get_user(instr, (u32 __user *)pc);
+ }
+
+- spin_lock_irq(&undef_lock);
++ spin_lock_irqsave(&undef_lock, flags);
+ list_for_each_entry(hook, &undef_hook, node) {
+ if ((instr & hook->instr_mask) == hook->instr_val &&
+ (regs->ARM_cpsr & hook->cpsr_mask) == hook->cpsr_val) {
+@@ -301,7 +302,7 @@ asmlinkage void do_undefinstr(struct pt_
+ }
+ }
+ }
+- spin_unlock_irq(&undef_lock);
++ spin_unlock_irqrestore(&undef_lock, flags);
+
+ #ifdef CONFIG_DEBUG_USER
+ if (user_debug & UDBG_UNDEFINED) {
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:19:40 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:04:28 -0700
+Message-ID: <1178589868.10892.14.camel@dell>
+Subject: BNX2: Block MII access when ifdown.
+
+The device may be in D3hot state and should not allow MII register
+access.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ drivers/net/bnx2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/net/bnx2.c
++++ linux-2.6.21.1/drivers/net/bnx2.c
+@@ -5564,6 +5564,9 @@ bnx2_ioctl(struct net_device *dev, struc
+ case SIOCGMIIREG: {
+ u32 mii_regval;
+
++ if (!netif_running(dev))
++ return -EAGAIN;
++
+ spin_lock_bh(&bp->phy_lock);
+ err = bnx2_read_phy(bp, data->reg_num & 0x1f, &mii_regval);
+ spin_unlock_bh(&bp->phy_lock);
+@@ -5577,6 +5580,9 @@ bnx2_ioctl(struct net_device *dev, struc
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
++ if (!netif_running(dev))
++ return -EAGAIN;
++
+ spin_lock_bh(&bp->phy_lock);
+ err = bnx2_write_phy(bp, data->reg_num & 0x1f, data->val_in);
+ spin_unlock_bh(&bp->phy_lock);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:19:10 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:04:17 -0700
+Message-ID: <1178589857.10892.13.camel@dell>
+Subject: BNX2: Fix TSO problem with small MSS.
+
+Remove the check for skb->len greater than MTU when doing TSO. When
+the destination has a smaller MSS than the source, a TSO packet may
+be smaller than the MTU at the source and we still need to process it
+as a TSO packet.
+
+Thanks to Brian Ristuccia <bristuccia@starentnetworks.com> for
+reporting the problem.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/bnx2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/bnx2.c
++++ linux-2.6.21.1/drivers/net/bnx2.c
+@@ -4510,8 +4510,7 @@ bnx2_start_xmit(struct sk_buff *skb, str
+ vlan_tag_flags |=
+ (TX_BD_FLAGS_VLAN_TAG | (vlan_tx_tag_get(skb) << 16));
+ }
+- if ((mss = skb_shinfo(skb)->gso_size) &&
+- (skb->len > (bp->dev->mtu + ETH_HLEN))) {
++ if ((mss = skb_shinfo(skb)->gso_size)) {
+ u32 tcp_opt_len, ip_tcp_len;
+
+ if (skb_header_cloned(skb) &&
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:21:54 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:04:35 -0700
+Message-ID: <1178589875.10892.15.camel@dell>
+Subject: BNX2: Save PCI state during suspend.
+
+This is needed to save the MSI state which will be lost during
+suspend.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ drivers/net/bnx2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/net/bnx2.c
++++ linux-2.6.21.1/drivers/net/bnx2.c
+@@ -6148,6 +6148,7 @@ bnx2_suspend(struct pci_dev *pdev, pm_me
+ reset_code = BNX2_DRV_MSG_CODE_SUSPEND_NO_WOL;
+ bnx2_reset_chip(bp, reset_code);
+ bnx2_free_skbs(bp);
++ pci_save_state(pdev);
+ bnx2_set_power_state(bp, pci_choose_state(pdev, state));
+ return 0;
+ }
+@@ -6161,6 +6162,7 @@ bnx2_resume(struct pci_dev *pdev)
+ if (!netif_running(dev))
+ return 0;
+
++ pci_restore_state(pdev);
+ bnx2_set_power_state(bp, PCI_D0);
+ netif_device_attach(dev);
+ bnx2_init_nic(bp);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:20:51 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:04:43 -0700
+Message-ID: <1178589884.10892.16.camel@dell>
+Subject: BNX2: Update version and reldate.
+
+Update version to 1.5.8.1.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ drivers/net/bnx2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/bnx2.c
++++ linux-2.6.21.1/drivers/net/bnx2.c
+@@ -54,8 +54,8 @@
+
+ #define DRV_MODULE_NAME "bnx2"
+ #define PFX DRV_MODULE_NAME ": "
+-#define DRV_MODULE_VERSION "1.5.8"
+-#define DRV_MODULE_RELDATE "April 24, 2007"
++#define DRV_MODULE_VERSION "1.5.8.1"
++#define DRV_MODULE_RELDATE "May 7, 2007"
+
+ #define RUN_AT(x) (jiffies + (x))
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 03:16:20 2007
+Message-Id: <200705090935.l499ZFxi019985@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Wed, 09 May 2007 02:35:15 -0700
+Cc: johnstul@us.ibm.com, ak@suse.de, stable@kernel.org, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu
+Subject: clocksource: fix resume logic
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+We need to make sure that the clocksources are resumed, when timekeeping is
+resumed. The current resume logic does not guarantee this.
+
+Add a resume function pointer to the clocksource struct, so clocksource
+drivers which need to reinitialize the clocksource can provide a resume
+function.
+
+Add a resume function, which calls the maybe available clocksource resume
+functions and resets the watchdog function, so a stable TSC can be used
+accross suspend/resume.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: john stultz <johnstul@us.ibm.com>
+Cc: Andi Kleen <ak@suse.de>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/linux/clocksource.h | 3 ++
+ kernel/time/clocksource.c | 45 ++++++++++++++++++++++++++++++++++++++++++++
+ kernel/timer.c | 2 +
+ 3 files changed, 50 insertions(+)
+
+--- linux-2.6.21.1.orig/include/linux/clocksource.h
++++ linux-2.6.21.1/include/linux/clocksource.h
+@@ -48,6 +48,7 @@ struct clocksource;
+ * @shift: cycle to nanosecond divisor (power of two)
+ * @flags: flags describing special properties
+ * @vread: vsyscall based read
++ * @resume: resume function for the clocksource, if necessary
+ * @cycle_interval: Used internally by timekeeping core, please ignore.
+ * @xtime_interval: Used internally by timekeeping core, please ignore.
+ */
+@@ -61,6 +62,7 @@ struct clocksource {
+ u32 shift;
+ unsigned long flags;
+ cycle_t (*vread)(void);
++ void (*resume)(void);
+
+ /* timekeeping specific data, ignore */
+ cycle_t cycle_last, cycle_interval;
+@@ -198,6 +200,7 @@ static inline void clocksource_calculate
+ extern int clocksource_register(struct clocksource*);
+ extern struct clocksource* clocksource_get_next(void);
+ extern void clocksource_change_rating(struct clocksource *cs, int rating);
++extern void clocksource_resume(void);
+
+ #ifdef CONFIG_GENERIC_TIME_VSYSCALL
+ extern void update_vsyscall(struct timespec *ts, struct clocksource *c);
+--- linux-2.6.21.1.orig/kernel/time/clocksource.c
++++ linux-2.6.21.1/kernel/time/clocksource.c
+@@ -74,6 +74,8 @@ static struct clocksource *watchdog;
+ static struct timer_list watchdog_timer;
+ static DEFINE_SPINLOCK(watchdog_lock);
+ static cycle_t watchdog_last;
++static int watchdog_resumed;
++
+ /*
+ * Interval: 0.5sec Treshold: 0.0625s
+ */
+@@ -98,15 +100,26 @@ static void clocksource_watchdog(unsigne
+ struct clocksource *cs, *tmp;
+ cycle_t csnow, wdnow;
+ int64_t wd_nsec, cs_nsec;
++ int resumed;
+
+ spin_lock(&watchdog_lock);
+
++ resumed = watchdog_resumed;
++ if (unlikely(resumed))
++ watchdog_resumed = 0;
++
+ wdnow = watchdog->read();
+ wd_nsec = cyc2ns(watchdog, (wdnow - watchdog_last) & watchdog->mask);
+ watchdog_last = wdnow;
+
+ list_for_each_entry_safe(cs, tmp, &watchdog_list, wd_list) {
+ csnow = cs->read();
++
++ if (unlikely(resumed)) {
++ cs->wd_last = csnow;
++ continue;
++ }
++
+ /* Initialized ? */
+ if (!(cs->flags & CLOCK_SOURCE_WATCHDOG)) {
+ if ((cs->flags & CLOCK_SOURCE_IS_CONTINUOUS) &&
+@@ -136,6 +149,13 @@ static void clocksource_watchdog(unsigne
+ }
+ spin_unlock(&watchdog_lock);
+ }
++static void clocksource_resume_watchdog(void)
++{
++ spin_lock(&watchdog_lock);
++ watchdog_resumed = 1;
++ spin_unlock(&watchdog_lock);
++}
++
+ static void clocksource_check_watchdog(struct clocksource *cs)
+ {
+ struct clocksource *cse;
+@@ -182,9 +202,34 @@ static void clocksource_check_watchdog(s
+ if (cs->flags & CLOCK_SOURCE_IS_CONTINUOUS)
+ cs->flags |= CLOCK_SOURCE_VALID_FOR_HRES;
+ }
++
++static inline void clocksource_resume_watchdog(void) { }
+ #endif
+
+ /**
++ * clocksource_resume - resume the clocksource(s)
++ */
++void clocksource_resume(void)
++{
++ struct list_head *tmp;
++ unsigned long flags;
++
++ spin_lock_irqsave(&clocksource_lock, flags);
++
++ list_for_each(tmp, &clocksource_list) {
++ struct clocksource *cs;
++
++ cs = list_entry(tmp, struct clocksource, list);
++ if (cs->resume)
++ cs->resume();
++ }
++
++ clocksource_resume_watchdog();
++
++ spin_unlock_irqrestore(&clocksource_lock, flags);
++}
++
++/**
+ * clocksource_get_next - Returns the selected clocksource
+ *
+ */
+--- linux-2.6.21.1.orig/kernel/timer.c
++++ linux-2.6.21.1/kernel/timer.c
+@@ -1903,6 +1903,8 @@ unregister_time_interpolator(struct time
+ prev = &curr->next;
+ }
+
++ clocksource_resume();
++
+ write_seqlock_irqsave(&xtime_lock, flags);
+ if (ti == time_interpolator) {
+ /* we lost the best time-interpolator: */
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Apr 30 12:02:47 2007
+Message-ID: <46363C9A.8080000@simon.arlott.org.uk>
+Date: Mon, 30 Apr 2007 19:59:38 +0100
+From: Simon Arlott <simon@fire.lp0.eu>
+To: stable@kernel.org
+Subject: cxacru: Fix infinite loop when trying to cancel polling task
+
+As part of the device initialisation cxacru_atm_start starts
+a rearming status polling task, which is cancelled in
+cxacru_unbind. Failure to ever start the task means an
+infinite loop occurs trying to cancel it.
+
+Possible reasons for not starting the polling task:
+* Firmware files missing
+* Device initialisation fails
+* User unplugs device or unloads module
+
+Effect:
+* Infinite loop in khubd trying to add/remove the device (or rmmod if timed right)
+
+Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Fixed for 2.6.22 by 6a02c996bce297a782432e29c69268356e97fadd.
+
+ drivers/usb/atm/cxacru.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/usb/atm/cxacru.c
++++ linux-2.6.21.1/drivers/usb/atm/cxacru.c
+@@ -146,6 +146,12 @@ enum cxacru_info_idx {
+ CXINF_MAX = 0x1c,
+ };
+
++enum poll_state {
++ CX_INIT,
++ CX_POLLING,
++ CX_ABORT
++};
++
+ struct cxacru_modem_type {
+ u32 pll_f_clk;
+ u32 pll_b_clk;
+@@ -159,6 +165,8 @@ struct cxacru_data {
+
+ int line_status;
+ struct delayed_work poll_work;
++ struct mutex poll_state_serialize;
++ enum poll_state poll_state;
+
+ /* contol handles */
+ struct mutex cm_serialize;
+@@ -356,7 +364,7 @@ static int cxacru_atm_start(struct usbat
+ /*
+ struct atm_dev *atm_dev = usbatm_instance->atm_dev;
+ */
+- int ret;
++ int ret, start_polling = 1;
+
+ dbg("cxacru_atm_start");
+
+@@ -376,7 +384,15 @@ static int cxacru_atm_start(struct usbat
+ }
+
+ /* Start status polling */
+- cxacru_poll_status(&instance->poll_work.work);
++ mutex_lock(&instance->poll_state_serialize);
++ if (instance->poll_state == CX_INIT)
++ instance->poll_state = CX_POLLING;
++ else /* poll_state == CX_ABORT */
++ start_polling = 0;
++ mutex_unlock(&instance->poll_state_serialize);
++
++ if (start_polling)
++ cxacru_poll_status(&instance->poll_work.work);
+ return 0;
+ }
+
+@@ -685,6 +701,9 @@ static int cxacru_bind(struct usbatm_dat
+ instance->usbatm = usbatm_instance;
+ instance->modem_type = (struct cxacru_modem_type *) id->driver_info;
+
++ mutex_init(&instance->poll_state_serialize);
++ instance->poll_state = CX_INIT;
++
+ instance->rcv_buf = (u8 *) __get_free_page(GFP_KERNEL);
+ if (!instance->rcv_buf) {
+ dbg("cxacru_bind: no memory for rcv_buf");
+@@ -744,6 +763,7 @@ static void cxacru_unbind(struct usbatm_
+ struct usb_interface *intf)
+ {
+ struct cxacru_data *instance = usbatm_instance->driver_data;
++ int stop_polling = 1;
+
+ dbg("cxacru_unbind entered");
+
+@@ -752,8 +772,20 @@ static void cxacru_unbind(struct usbatm_
+ return;
+ }
+
+- while (!cancel_delayed_work(&instance->poll_work))
+- flush_scheduled_work();
++ mutex_lock(&instance->poll_state_serialize);
++ if (instance->poll_state != CX_POLLING) {
++ /* Polling hasn't started yet and with
++ * the mutex locked it can be prevented
++ * from starting.
++ */
++ instance->poll_state = CX_ABORT;
++ stop_polling = 0;
++ }
++ mutex_unlock(&instance->poll_state_serialize);
++
++ if (stop_polling)
++ while (!cancel_delayed_work(&instance->poll_work))
++ flush_scheduled_work();
+
+ usb_kill_urb(instance->snd_urb);
+ usb_kill_urb(instance->rcv_urb);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu May 10 07:47:30 2007
+Message-ID: <46432FFD.1040304@gmail.com>
+Date: Thu, 10 May 2007 16:45:17 +0200
+From: Tejun Heo <htejun@gmail.com>
+To: Greg KH <greg@kroah.com>
+Cc: stable@kernel.org, Alan Stern <stern@rowland.harvard.edu>, linux-usb-devel@lists.sourceforge.net, Chris Rankin <rankincj@yahoo.com>
+Subject: driver-core: don't free devt_attr till the device is released
+
+Currently, devt_attr for the "dev" file is freed immediately on device
+removal, but if the "dev" sysfs file is open when a device is removed,
+sysfs will access its attribute structure for further access including
+close resulting in jumping to garbled address. Fix it by postponing
+freeing devt_attr to device release time.
+
+Note that devt_attr for class_device is already freed on release.
+
+This bug is reported by Chris Rankin as bugzilla bug#8198.
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Cc: Chris Rankin <rankincj@yahoo.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Applies well to 2.6.20 and 21. As sysfs-immediate-disconnect doesn't
+seem to be included in 2.6.22, this should be included in linus#master
+too (applies well there as well).
+
+ drivers/base/core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/base/core.c
++++ linux-2.6.21.1/drivers/base/core.c
+@@ -93,6 +93,9 @@ static void device_release(struct kobjec
+ {
+ struct device * dev = to_dev(kobj);
+
++ kfree(dev->devt_attr);
++ dev->devt_attr = NULL;
++
+ if (dev->release)
+ dev->release(dev);
+ else if (dev->type && dev->type->release)
+@@ -765,10 +768,8 @@ void device_del(struct device * dev)
+
+ if (parent)
+ klist_del(&dev->knode_parent);
+- if (dev->devt_attr) {
++ if (dev->devt_attr)
+ device_remove_file(dev, dev->devt_attr);
+- kfree(dev->devt_attr);
+- }
+ if (dev->class) {
+ sysfs_remove_link(&dev->kobj, "subsystem");
+ /* If this is not a "fake" compatible device, remove the
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 8 00:34:00 2007
+Message-Id: <200705080731.l487VTWR017264@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Tue, 08 May 2007 00:31:28 -0700
+Cc: akpm@linux-foundation.org, stable@kernel.org, hirofumi@mail.parknet.co.jp, bartoldeman@users.sourceforge.net
+Subject: fat: fix VFAT compat ioctls on 64-bit systems
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+If you compile and run the below test case in an msdos or vfat directory on
+an x86-64 system with -m32 you'll get garbage in the kernel_dirent struct
+followed by a SIGSEGV.
+
+The patch fixes this.
+
+Reported and initial fix by Bart Oldeman
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <dirent.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+struct kernel_dirent {
+ long d_ino;
+ long d_off;
+ unsigned short d_reclen;
+ char d_name[256]; /* We must not include limits.h! */
+};
+#define VFAT_IOCTL_READDIR_BOTH _IOR('r', 1, struct kernel_dirent [2])
+#define VFAT_IOCTL_READDIR_SHORT _IOR('r', 2, struct kernel_dirent [2])
+
+int main(void)
+{
+ int fd = open(".", O_RDONLY);
+ struct kernel_dirent de[2];
+
+ while (1) {
+ int i = ioctl(fd, VFAT_IOCTL_READDIR_BOTH, (long)de);
+ if (i == -1) break;
+ if (de[0].d_reclen == 0) break;
+ printf("SFN: reclen=%2d off=%d ino=%d, %-12s",
+ de[0].d_reclen, de[0].d_off, de[0].d_ino, de[0].d_name);
+ if (de[1].d_reclen)
+ printf("\tLFN: reclen=%2d off=%d ino=%d, %s",
+ de[1].d_reclen, de[1].d_off, de[1].d_ino, de[1].d_name);
+ printf("\n");
+ }
+ return 0;
+}
+
+Signed-off-by: Bart Oldeman <bartoldeman@users.sourceforge.net>
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/fat/dir.c | 199 +++++++++++++++++++++++++++++------------------------------
+ 1 file changed, 100 insertions(+), 99 deletions(-)
+
+--- linux-2.6.21.1.orig/fs/fat/dir.c
++++ linux-2.6.21.1/fs/fat/dir.c
+@@ -422,7 +422,7 @@ EODir:
+ EXPORT_SYMBOL_GPL(fat_search_long);
+
+ struct fat_ioctl_filldir_callback {
+- struct dirent __user *dirent;
++ void __user *dirent;
+ int result;
+ /* for dir ioctl */
+ const char *longname;
+@@ -647,62 +647,85 @@ static int fat_readdir(struct file *filp
+ return __fat_readdir(inode, filp, dirent, filldir, 0, 0);
+ }
+
+-static int fat_ioctl_filldir(void *__buf, const char *name, int name_len,
+- loff_t offset, u64 ino, unsigned int d_type)
++#define FAT_IOCTL_FILLDIR_FUNC(func, dirent_type) \
++static int func(void *__buf, const char *name, int name_len, \
++ loff_t offset, u64 ino, unsigned int d_type) \
++{ \
++ struct fat_ioctl_filldir_callback *buf = __buf; \
++ struct dirent_type __user *d1 = buf->dirent; \
++ struct dirent_type __user *d2 = d1 + 1; \
++ \
++ if (buf->result) \
++ return -EINVAL; \
++ buf->result++; \
++ \
++ if (name != NULL) { \
++ /* dirent has only short name */ \
++ if (name_len >= sizeof(d1->d_name)) \
++ name_len = sizeof(d1->d_name) - 1; \
++ \
++ if (put_user(0, d2->d_name) || \
++ put_user(0, &d2->d_reclen) || \
++ copy_to_user(d1->d_name, name, name_len) || \
++ put_user(0, d1->d_name + name_len) || \
++ put_user(name_len, &d1->d_reclen)) \
++ goto efault; \
++ } else { \
++ /* dirent has short and long name */ \
++ const char *longname = buf->longname; \
++ int long_len = buf->long_len; \
++ const char *shortname = buf->shortname; \
++ int short_len = buf->short_len; \
++ \
++ if (long_len >= sizeof(d1->d_name)) \
++ long_len = sizeof(d1->d_name) - 1; \
++ if (short_len >= sizeof(d1->d_name)) \
++ short_len = sizeof(d1->d_name) - 1; \
++ \
++ if (copy_to_user(d2->d_name, longname, long_len) || \
++ put_user(0, d2->d_name + long_len) || \
++ put_user(long_len, &d2->d_reclen) || \
++ put_user(ino, &d2->d_ino) || \
++ put_user(offset, &d2->d_off) || \
++ copy_to_user(d1->d_name, shortname, short_len) || \
++ put_user(0, d1->d_name + short_len) || \
++ put_user(short_len, &d1->d_reclen)) \
++ goto efault; \
++ } \
++ return 0; \
++efault: \
++ buf->result = -EFAULT; \
++ return -EFAULT; \
++}
++
++FAT_IOCTL_FILLDIR_FUNC(fat_ioctl_filldir, dirent)
++
++static int fat_ioctl_readdir(struct inode *inode, struct file *filp,
++ void __user *dirent, filldir_t filldir,
++ int short_only, int both)
+ {
+- struct fat_ioctl_filldir_callback *buf = __buf;
+- struct dirent __user *d1 = buf->dirent;
+- struct dirent __user *d2 = d1 + 1;
+-
+- if (buf->result)
+- return -EINVAL;
+- buf->result++;
+-
+- if (name != NULL) {
+- /* dirent has only short name */
+- if (name_len >= sizeof(d1->d_name))
+- name_len = sizeof(d1->d_name) - 1;
+-
+- if (put_user(0, d2->d_name) ||
+- put_user(0, &d2->d_reclen) ||
+- copy_to_user(d1->d_name, name, name_len) ||
+- put_user(0, d1->d_name + name_len) ||
+- put_user(name_len, &d1->d_reclen))
+- goto efault;
+- } else {
+- /* dirent has short and long name */
+- const char *longname = buf->longname;
+- int long_len = buf->long_len;
+- const char *shortname = buf->shortname;
+- int short_len = buf->short_len;
+-
+- if (long_len >= sizeof(d1->d_name))
+- long_len = sizeof(d1->d_name) - 1;
+- if (short_len >= sizeof(d1->d_name))
+- short_len = sizeof(d1->d_name) - 1;
+-
+- if (copy_to_user(d2->d_name, longname, long_len) ||
+- put_user(0, d2->d_name + long_len) ||
+- put_user(long_len, &d2->d_reclen) ||
+- put_user(ino, &d2->d_ino) ||
+- put_user(offset, &d2->d_off) ||
+- copy_to_user(d1->d_name, shortname, short_len) ||
+- put_user(0, d1->d_name + short_len) ||
+- put_user(short_len, &d1->d_reclen))
+- goto efault;
++ struct fat_ioctl_filldir_callback buf;
++ int ret;
++
++ buf.dirent = dirent;
++ buf.result = 0;
++ mutex_lock(&inode->i_mutex);
++ ret = -ENOENT;
++ if (!IS_DEADDIR(inode)) {
++ ret = __fat_readdir(inode, filp, &buf, filldir,
++ short_only, both);
+ }
+- return 0;
+-efault:
+- buf->result = -EFAULT;
+- return -EFAULT;
++ mutex_unlock(&inode->i_mutex);
++ if (ret >= 0)
++ ret = buf.result;
++ return ret;
+ }
+
+-static int fat_dir_ioctl(struct inode * inode, struct file * filp,
+- unsigned int cmd, unsigned long arg)
++static int fat_dir_ioctl(struct inode *inode, struct file *filp,
++ unsigned int cmd, unsigned long arg)
+ {
+- struct fat_ioctl_filldir_callback buf;
+- struct dirent __user *d1;
+- int ret, short_only, both;
++ struct dirent __user *d1 = (struct dirent __user *)arg;
++ int short_only, both;
+
+ switch (cmd) {
+ case VFAT_IOCTL_READDIR_SHORT:
+@@ -717,7 +740,6 @@ static int fat_dir_ioctl(struct inode *
+ return fat_generic_ioctl(inode, filp, cmd, arg);
+ }
+
+- d1 = (struct dirent __user *)arg;
+ if (!access_ok(VERIFY_WRITE, d1, sizeof(struct dirent[2])))
+ return -EFAULT;
+ /*
+@@ -728,69 +750,48 @@ static int fat_dir_ioctl(struct inode *
+ if (put_user(0, &d1->d_reclen))
+ return -EFAULT;
+
+- buf.dirent = d1;
+- buf.result = 0;
+- mutex_lock(&inode->i_mutex);
+- ret = -ENOENT;
+- if (!IS_DEADDIR(inode)) {
+- ret = __fat_readdir(inode, filp, &buf, fat_ioctl_filldir,
+- short_only, both);
+- }
+- mutex_unlock(&inode->i_mutex);
+- if (ret >= 0)
+- ret = buf.result;
+- return ret;
++ return fat_ioctl_readdir(inode, filp, d1, fat_ioctl_filldir,
++ short_only, both);
+ }
+
+ #ifdef CONFIG_COMPAT
+ #define VFAT_IOCTL_READDIR_BOTH32 _IOR('r', 1, struct compat_dirent[2])
+ #define VFAT_IOCTL_READDIR_SHORT32 _IOR('r', 2, struct compat_dirent[2])
+
+-static long fat_compat_put_dirent32(struct dirent *d,
+- struct compat_dirent __user *d32)
+-{
+- if (!access_ok(VERIFY_WRITE, d32, sizeof(struct compat_dirent)))
+- return -EFAULT;
++FAT_IOCTL_FILLDIR_FUNC(fat_compat_ioctl_filldir, compat_dirent)
+
+- __put_user(d->d_ino, &d32->d_ino);
+- __put_user(d->d_off, &d32->d_off);
+- __put_user(d->d_reclen, &d32->d_reclen);
+- if (__copy_to_user(d32->d_name, d->d_name, d->d_reclen))
+- return -EFAULT;
+-
+- return 0;
+-}
+-
+-static long fat_compat_dir_ioctl(struct file *file, unsigned cmd,
++static long fat_compat_dir_ioctl(struct file *filp, unsigned cmd,
+ unsigned long arg)
+ {
+- struct compat_dirent __user *p = compat_ptr(arg);
+- int ret;
+- mm_segment_t oldfs = get_fs();
+- struct dirent d[2];
++ struct inode *inode = filp->f_path.dentry->d_inode;
++ struct compat_dirent __user *d1 = compat_ptr(arg);
++ int short_only, both;
+
+ switch (cmd) {
+- case VFAT_IOCTL_READDIR_BOTH32:
+- cmd = VFAT_IOCTL_READDIR_BOTH;
+- break;
+ case VFAT_IOCTL_READDIR_SHORT32:
+- cmd = VFAT_IOCTL_READDIR_SHORT;
++ short_only = 1;
++ both = 0;
++ break;
++ case VFAT_IOCTL_READDIR_BOTH32:
++ short_only = 0;
++ both = 1;
+ break;
+ default:
+ return -ENOIOCTLCMD;
+ }
+
+- set_fs(KERNEL_DS);
+- lock_kernel();
+- ret = fat_dir_ioctl(file->f_path.dentry->d_inode, file,
+- cmd, (unsigned long) &d);
+- unlock_kernel();
+- set_fs(oldfs);
+- if (ret >= 0) {
+- ret |= fat_compat_put_dirent32(&d[0], p);
+- ret |= fat_compat_put_dirent32(&d[1], p + 1);
+- }
+- return ret;
++ if (!access_ok(VERIFY_WRITE, d1, sizeof(struct compat_dirent[2])))
++ return -EFAULT;
++ /*
++ * Yes, we don't need this put_user() absolutely. However old
++ * code didn't return the right value. So, app use this value,
++ * in order to check whether it is EOF.
++ */
++ if (put_user(0, &d1->d_reclen))
++ return -EFAULT;
++
++ return fat_ioctl_readdir(inode, filp, d1, fat_compat_ioctl_filldir,
++ short_only, both);
+ }
+ #endif /* CONFIG_COMPAT */
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu May 10 23:11:14 2007
+Message-Id: <200705110601.l4B6183j008187@shell0.pdx.osdl.net>
+To: James.Bottomley@steeleye.com
+From: akpm@linux-foundation.org
+Date: Thu, 10 May 2007 23:01:08 -0700
+Cc: akpm@linux-foundation.org, Eric.Moore@lsil.com, stable@kernel.org, linux-scsi@vger.kernel.org, doug.chapman@hp.com
+Subject: fix for bugzilla 8426: massive slowdown on SCSI CD/DVD drive connected to mptspi driver
+
+From: Doug Chapman <doug.chapman@hp.com>
+
+Patch for: http://bugzilla.kernel.org/show_bug.cgi?id=8426
+
+A recent code cleanup that moved code from mptscsih to mptspi inadvertently
+change the order some code was called. This caused a massive slowdown (of
+150x to 300x) on the CD/DVD drive on the high-end HP Integrity servers.
+
+Signed-off-by: Doug Chapman <doug.chapman@hp.com>
+Cc: "Moore, Eric Dean" <Eric.Moore@lsil.com>
+Cc: James Bottomley <James.Bottomley@steeleye.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+[chrisw: Why is this not upstream yet?]
+
+ drivers/message/fusion/mptspi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/message/fusion/mptspi.c
++++ linux-2.6.21.1/drivers/message/fusion/mptspi.c
+@@ -726,13 +726,15 @@ static int mptspi_slave_configure(struct
+ struct _MPT_SCSI_HOST *hd =
+ (struct _MPT_SCSI_HOST *)sdev->host->hostdata;
+ VirtTarget *vtarget = scsi_target(sdev)->hostdata;
+- int ret = mptscsih_slave_configure(sdev);
++ int ret;
++
++ mptspi_initTarget(hd, vtarget, sdev);
++
++ ret = mptscsih_slave_configure(sdev);
+
+ if (ret)
+ return ret;
+
+- mptspi_initTarget(hd, vtarget, sdev);
+-
+ ddvprintk((MYIOC_s_INFO_FMT "id=%d min_period=0x%02x"
+ " max_offset=0x%02x max_width=%d\n", hd->ioc->name,
+ sdev->id, spi_min_period(scsi_target(sdev)),
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 02:36:13 2007
+Message-Id: <200705090933.l499X98T019451@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Wed, 09 May 2007 02:33:09 -0700
+Cc: dwg@au1.ibm.com, kenchen@google.com, mbligh@google.com, agl@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org, david@gibson.dropbear.id.au
+Subject: fix leaky resv_huge_pages when cpuset is in use
+
+From: "Ken Chen" <kenchen@google.com>
+
+The internal hugetlb resv_huge_pages variable can permanently leak nonzero
+value in the error path of hugetlb page fault handler when hugetlb page is
+used in combination of cpuset. The leaked count can permanently trap N
+number of hugetlb pages in unusable "reserved" state.
+
+Steps to reproduce the bug:
+
+ (1) create two cpuset, user1 and user2
+ (2) reserve 50 htlb pages in cpuset user1
+ (3) attempt to shmget/shmat 50 htlb page inside cpuset user2
+ (4) kernel oom the user process in step 3
+ (5) ipcrm the shm segment
+
+At this point resv_huge_pages will have a count of 49, even though
+there are no active hugetlbfs file nor hugetlb shared memory segment
+in the system. The leak is permanent and there is no recovery method
+other than system reboot. The leaked count will hold up all future use
+of that many htlb pages in all cpusets.
+
+The culprit is that the error path of alloc_huge_page() did not
+properly undo the change it made to resv_huge_page, causing
+inconsistent state.
+
+Signed-off-by: Ken Chen <kenchen@google.com>
+Cc: David Gibson <david@gibson.dropbear.id.au>
+Cc: Adam Litke <agl@us.ibm.com>
+Cc: Martin Bligh <mbligh@google.com>
+Acked-by: David Gibson <dwg@au1.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ mm/hugetlb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.21.1.orig/mm/hugetlb.c
++++ linux-2.6.21.1/mm/hugetlb.c
+@@ -140,6 +140,8 @@ static struct page *alloc_huge_page(stru
+ return page;
+
+ fail:
++ if (vma->vm_flags & VM_MAYSHARE)
++ resv_huge_pages++;
+ spin_unlock(&hugetlb_lock);
+ return NULL;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 8 00:48:08 2007
+Message-Id: <200705080730.l487U3xB017106@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Tue, 08 May 2007 00:30:03 -0700
+Cc: rostedt@goodmis.org, stable@kernel.org, mlord@pobox.com, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu
+Subject: highres/dyntick: prevent xtime lock contention
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+While the !highres/!dyntick code assigns the duty of the do_timer() call to
+one specific CPU, this was dropped in the highres/dyntick part during
+development.
+
+Steven Rostedt discovered the xtime lock contention on highres/dyntick due
+to several CPUs trying to update jiffies.
+
+Add the single CPU assignement back. In the dyntick case this needs to be
+handled carefully, as the CPU which has the do_timer() duty must drop the
+assignement and let it be grabbed by another CPU, which is active.
+Otherwise the do_timer() calls would not happen during the long sleep.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Mark Lord <mlord@pobox.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ kernel/time/tick-common.c | 8 +++++++-
+ kernel/time/tick-internal.h | 1 +
+ kernel/time/tick-sched.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ 3 files changed, 48 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/kernel/time/tick-common.c
++++ linux-2.6.21.1/kernel/time/tick-common.c
+@@ -31,7 +31,7 @@ DEFINE_PER_CPU(struct tick_device, tick_
+ */
+ ktime_t tick_next_period;
+ ktime_t tick_period;
+-static int tick_do_timer_cpu = -1;
++int tick_do_timer_cpu __read_mostly = -1;
+ DEFINE_SPINLOCK(tick_device_lock);
+
+ /*
+@@ -295,6 +295,12 @@ static void tick_shutdown(unsigned int *
+ clockevents_exchange_device(dev, NULL);
+ td->evtdev = NULL;
+ }
++ /* Transfer the do_timer job away from this cpu */
++ if (*cpup == tick_do_timer_cpu) {
++ int cpu = first_cpu(cpu_online_map);
++
++ tick_do_timer_cpu = (cpu != NR_CPUS) ? cpu : -1;
++ }
+ spin_unlock_irqrestore(&tick_device_lock, flags);
+ }
+
+--- linux-2.6.21.1.orig/kernel/time/tick-internal.h
++++ linux-2.6.21.1/kernel/time/tick-internal.h
+@@ -5,6 +5,7 @@ DECLARE_PER_CPU(struct tick_device, tick
+ extern spinlock_t tick_device_lock;
+ extern ktime_t tick_next_period;
+ extern ktime_t tick_period;
++extern int tick_do_timer_cpu __read_mostly;
+
+ extern void tick_setup_periodic(struct clock_event_device *dev, int broadcast);
+ extern void tick_handle_periodic(struct clock_event_device *dev);
+--- linux-2.6.21.1.orig/kernel/time/tick-sched.c
++++ linux-2.6.21.1/kernel/time/tick-sched.c
+@@ -221,6 +221,18 @@ void tick_nohz_stop_sched_tick(void)
+ ts->tick_stopped = 1;
+ ts->idle_jiffies = last_jiffies;
+ }
++
++ /*
++ * If this cpu is the one which updates jiffies, then
++ * give up the assignment and let it be taken by the
++ * cpu which runs the tick timer next, which might be
++ * this cpu as well. If we don't drop this here the
++ * jiffies might be stale and do_timer() never
++ * invoked.
++ */
++ if (cpu == tick_do_timer_cpu)
++ tick_do_timer_cpu = -1;
++
+ /*
+ * calculate the expiry time for the next timer wheel
+ * timer
+@@ -338,12 +350,24 @@ static void tick_nohz_handler(struct clo
+ {
+ struct tick_sched *ts = &__get_cpu_var(tick_cpu_sched);
+ struct pt_regs *regs = get_irq_regs();
++ int cpu = smp_processor_id();
+ ktime_t now = ktime_get();
+
+ dev->next_event.tv64 = KTIME_MAX;
+
++ /*
++ * Check if the do_timer duty was dropped. We don't care about
++ * concurrency: This happens only when the cpu in charge went
++ * into a long sleep. If two cpus happen to assign themself to
++ * this duty, then the jiffies update is still serialized by
++ * xtime_lock.
++ */
++ if (unlikely(tick_do_timer_cpu == -1))
++ tick_do_timer_cpu = cpu;
++
+ /* Check, if the jiffies need an update */
+- tick_do_update_jiffies64(now);
++ if (tick_do_timer_cpu == cpu)
++ tick_do_update_jiffies64(now);
+
+ /*
+ * When we are idle and the tick is stopped, we have to touch
+@@ -431,9 +455,23 @@ static enum hrtimer_restart tick_sched_t
+ struct hrtimer_cpu_base *base = timer->base->cpu_base;
+ struct pt_regs *regs = get_irq_regs();
+ ktime_t now = ktime_get();
++ int cpu = smp_processor_id();
++
++#ifdef CONFIG_NO_HZ
++ /*
++ * Check if the do_timer duty was dropped. We don't care about
++ * concurrency: This happens only when the cpu in charge went
++ * into a long sleep. If two cpus happen to assign themself to
++ * this duty, then the jiffies update is still serialized by
++ * xtime_lock.
++ */
++ if (unlikely(tick_do_timer_cpu == -1))
++ tick_do_timer_cpu = cpu;
++#endif
+
+ /* Check, if the jiffies need an update */
+- tick_do_update_jiffies64(now);
++ if (tick_do_timer_cpu == cpu)
++ tick_do_update_jiffies64(now);
+
+ /*
+ * Do not call, when we are not in irq context and have
--- /dev/null
+From stable-bounces@linux.kernel.org Fri May 11 11:12:05 2007
+From: Thomas Gleixner <tglx@linutronix.de>
+To: Andi Kleen <ak@suse.de>
+Date: Fri, 11 May 2007 20:13:10 +0200
+Message-Id: <1178907191.22481.72.camel@localhost.localdomain>
+Cc: guilherme@centralinf.com.br, johnstul@us.ibm.com, akpm@linux-foundation.org, stable@kernel.org
+Subject: i386: HPET, check if the counter works
+
+Some systems have a HPET which is not incrementing, which leads to a
+complete hang. Detect it during HPET setup.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+[chrisw: Why is this not upstream yet?]
+
+---
+ arch/i386/kernel/hpet.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/arch/i386/kernel/hpet.c
++++ linux-2.6.21.1/arch/i386/kernel/hpet.c
+@@ -226,7 +226,8 @@ int __init hpet_enable(void)
+ {
+ unsigned long id;
+ uint64_t hpet_freq;
+- u64 tmp;
++ u64 tmp, start, now;
++ cycle_t t1;
+
+ if (!is_hpet_capable())
+ return 0;
+@@ -273,6 +274,27 @@ int __init hpet_enable(void)
+ /* Start the counter */
+ hpet_start_counter();
+
++ /* Verify whether hpet counter works */
++ t1 = read_hpet();
++ rdtscll(start);
++
++ /*
++ * We don't know the TSC frequency yet, but waiting for
++ * 200000 TSC cycles is safe:
++ * 4 GHz == 50us
++ * 1 GHz == 200us
++ */
++ do {
++ rep_nop();
++ rdtscll(now);
++ } while ((now - start) < 200000UL);
++
++ if (t1 == read_hpet()) {
++ printk(KERN_WARNING
++ "HPET counter not counting. HPET disabled\n");
++ goto out_nohpet;
++ }
++
+ /* Initialize and register HPET clocksource
+ *
+ * hpet period is in femto seconds per cycle
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 2 11:45:45 2007
+From: Dan Williams <dan.j.williams@intel.com>
+To: stable@kernel.org
+Date: Wed, 02 May 2007 11:43:14 -0700
+Message-ID: <20070502184314.10289.8158.stgit@dwillia2-linux.ch.intel.com>
+Cc: rmk@arm.linux.org.uk
+Subject: iop: fix iop_getttimeoffset
+
+Fix a typo which causes a necessary cpwait to be missed on iop3xx, Michael
+Brunner <mibru@gmx.de>
+
+Save a register in the assembly routine, rmk
+
+Cc: Lennert Buytenhek <kernel@wantstofly.org>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ arch/arm/plat-iop/time.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/arch/arm/plat-iop/time.c
++++ linux-2.6.21.1/arch/arm/plat-iop/time.c
+@@ -32,22 +32,22 @@ static unsigned long next_jiffy_time;
+
+ unsigned long iop_gettimeoffset(void)
+ {
+- unsigned long offset, temp1, temp2;
++ unsigned long offset, temp;
+
+ /* enable cp6, if necessary, to avoid taking the overhead of an
+ * undefined instruction trap
+ */
+ asm volatile (
+ "mrc p15, 0, %0, c15, c1, 0\n\t"
+- "ands %1, %0, #(1 << 6)\n\t"
++ "tst %0, #(1 << 6)\n\t"
+ "orreq %0, %0, #(1 << 6)\n\t"
+ "mcreq p15, 0, %0, c15, c1, 0\n\t"
+-#ifdef CONFIG_XSCALE
++#ifdef CONFIG_CPU_XSCALE
+ "mrceq p15, 0, %0, c15, c1, 0\n\t"
+ "moveq %0, %0\n\t"
+ "subeq pc, pc, #4\n\t"
+ #endif
+- : "=r"(temp1), "=r"(temp2) : : "cc");
++ : "=r"(temp) : : "cc");
+
+ offset = next_jiffy_time - read_tcr1();
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 2 11:45:25 2007
+From: Dan Williams <dan.j.williams@intel.com>
+To: stable@kernel.org
+Date: Wed, 02 May 2007 11:43:19 -0700
+Message-ID: <20070502184319.10289.25924.stgit@dwillia2-linux.ch.intel.com>
+Cc: rmk@arm.linux.org.uk
+Subject: iop13xx: fix i/o address translation
+
+PCI devices were being programmed with an incorrect base address value.
+This patch moves I/O space into a 16-bit addressable region and corrects
+the i/o offset.
+
+Much thanks to Martin Michlmayr for tracking this issue and testing
+debug patches.
+
+Cc: Martin Michlmayr <tbm@cyrius.com>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ arch/arm/mach-iop13xx/pci.c | 8 ++++----
+ include/asm-arm/arch-iop13xx/iop13xx.h | 22 +++++++++++++---------
+ 2 files changed, 17 insertions(+), 13 deletions(-)
+
+--- linux-2.6.21.1.orig/arch/arm/mach-iop13xx/pci.c
++++ linux-2.6.21.1/arch/arm/mach-iop13xx/pci.c
+@@ -1023,7 +1023,7 @@ int iop13xx_pci_setup(int nr, struct pci
+ << IOP13XX_ATUX_PCIXSR_FUNC_NUM;
+ __raw_writel(pcixsr, IOP13XX_ATUX_PCIXSR);
+
+- res[0].start = IOP13XX_PCIX_LOWER_IO_PA;
++ res[0].start = IOP13XX_PCIX_LOWER_IO_PA + IOP13XX_PCIX_IO_BUS_OFFSET;
+ res[0].end = IOP13XX_PCIX_UPPER_IO_PA;
+ res[0].name = "IQ81340 ATUX PCI I/O Space";
+ res[0].flags = IORESOURCE_IO;
+@@ -1033,7 +1033,7 @@ int iop13xx_pci_setup(int nr, struct pci
+ res[1].name = "IQ81340 ATUX PCI Memory Space";
+ res[1].flags = IORESOURCE_MEM;
+ sys->mem_offset = IOP13XX_PCIX_MEM_OFFSET;
+- sys->io_offset = IOP13XX_PCIX_IO_OFFSET;
++ sys->io_offset = IOP13XX_PCIX_LOWER_IO_PA;
+ break;
+ case IOP13XX_INIT_ATU_ATUE:
+ /* Note: the function number field in the PCSR is ro */
+@@ -1044,7 +1044,7 @@ int iop13xx_pci_setup(int nr, struct pci
+
+ __raw_writel(pcsr, IOP13XX_ATUE_PCSR);
+
+- res[0].start = IOP13XX_PCIE_LOWER_IO_PA;
++ res[0].start = IOP13XX_PCIE_LOWER_IO_PA + IOP13XX_PCIE_IO_BUS_OFFSET;
+ res[0].end = IOP13XX_PCIE_UPPER_IO_PA;
+ res[0].name = "IQ81340 ATUE PCI I/O Space";
+ res[0].flags = IORESOURCE_IO;
+@@ -1054,7 +1054,7 @@ int iop13xx_pci_setup(int nr, struct pci
+ res[1].name = "IQ81340 ATUE PCI Memory Space";
+ res[1].flags = IORESOURCE_MEM;
+ sys->mem_offset = IOP13XX_PCIE_MEM_OFFSET;
+- sys->io_offset = IOP13XX_PCIE_IO_OFFSET;
++ sys->io_offset = IOP13XX_PCIE_LOWER_IO_PA;
+ sys->map_irq = iop13xx_pcie_map_irq;
+ break;
+ default:
+--- linux-2.6.21.1.orig/include/asm-arm/arch-iop13xx/iop13xx.h
++++ linux-2.6.21.1/include/asm-arm/arch-iop13xx/iop13xx.h
+@@ -27,19 +27,24 @@ static inline int iop13xx_cpu_id(void)
+ #define IOP13XX_PCI_OFFSET IOP13XX_MAX_RAM_SIZE
+
+ /* PCI MAP
+- * 0x0000.0000 - 0x8000.0000 1:1 mapping with Physical RAM
+- * 0x8000.0000 - 0x8800.0000 PCIX/PCIE memory window (128MB)
+-*/
++ * bus range cpu phys cpu virt note
++ * 0x0000.0000 + 2GB (n/a) (n/a) inbound, 1:1 mapping with Physical RAM
++ * 0x8000.0000 + 928M 0x1.8000.0000 (ioremap) PCIX outbound memory window
++ * 0x8000.0000 + 928M 0x2.8000.0000 (ioremap) PCIE outbound memory window
++ *
++ * IO MAP
++ * 0x1000 + 64K 0x0.fffb.1000 0xfec6.1000 PCIX outbound i/o window
++ * 0x1000 + 64K 0x0.fffd.1000 0xfed7.1000 PCIE outbound i/o window
++ */
+ #define IOP13XX_PCIX_IO_WINDOW_SIZE 0x10000UL
+ #define IOP13XX_PCIX_LOWER_IO_PA 0xfffb0000UL
+ #define IOP13XX_PCIX_LOWER_IO_VA 0xfec60000UL
+-#define IOP13XX_PCIX_LOWER_IO_BA 0x0fff0000UL
++#define IOP13XX_PCIX_LOWER_IO_BA 0x0UL /* OIOTVR */
++#define IOP13XX_PCIX_IO_BUS_OFFSET 0x1000UL
+ #define IOP13XX_PCIX_UPPER_IO_PA (IOP13XX_PCIX_LOWER_IO_PA +\
+ IOP13XX_PCIX_IO_WINDOW_SIZE - 1)
+ #define IOP13XX_PCIX_UPPER_IO_VA (IOP13XX_PCIX_LOWER_IO_VA +\
+ IOP13XX_PCIX_IO_WINDOW_SIZE - 1)
+-#define IOP13XX_PCIX_IO_OFFSET (IOP13XX_PCIX_LOWER_IO_VA -\
+- IOP13XX_PCIX_LOWER_IO_BA)
+ #define IOP13XX_PCIX_IO_PHYS_TO_VIRT(addr) (u32) ((u32) addr -\
+ (IOP13XX_PCIX_LOWER_IO_PA\
+ - IOP13XX_PCIX_LOWER_IO_VA))
+@@ -65,15 +70,14 @@ static inline int iop13xx_cpu_id(void)
+ #define IOP13XX_PCIE_IO_WINDOW_SIZE 0x10000UL
+ #define IOP13XX_PCIE_LOWER_IO_PA 0xfffd0000UL
+ #define IOP13XX_PCIE_LOWER_IO_VA 0xfed70000UL
+-#define IOP13XX_PCIE_LOWER_IO_BA 0x0fff0000UL
++#define IOP13XX_PCIE_LOWER_IO_BA 0x0UL /* OIOTVR */
++#define IOP13XX_PCIE_IO_BUS_OFFSET 0x1000UL
+ #define IOP13XX_PCIE_UPPER_IO_PA (IOP13XX_PCIE_LOWER_IO_PA +\
+ IOP13XX_PCIE_IO_WINDOW_SIZE - 1)
+ #define IOP13XX_PCIE_UPPER_IO_VA (IOP13XX_PCIE_LOWER_IO_VA +\
+ IOP13XX_PCIE_IO_WINDOW_SIZE - 1)
+ #define IOP13XX_PCIE_UPPER_IO_BA (IOP13XX_PCIE_LOWER_IO_BA +\
+ IOP13XX_PCIE_IO_WINDOW_SIZE - 1)
+-#define IOP13XX_PCIE_IO_OFFSET (IOP13XX_PCIE_LOWER_IO_VA -\
+- IOP13XX_PCIE_LOWER_IO_BA)
+ #define IOP13XX_PCIE_IO_PHYS_TO_VIRT(addr) (u32) ((u32) addr -\
+ (IOP13XX_PCIE_LOWER_IO_PA\
+ - IOP13XX_PCIE_LOWER_IO_VA))
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 2 21:13:25 2007
+Message-ID: <46393773.60005@trash.net>
+Date: Thu, 03 May 2007 03:14:27 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "stable@kernel.org" <stable@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>, Adrian Bunk <bunk@stusta.de>
+Subject: [NETFILTER]: {ip, nf}_nat_proto_gre: do not modify/corrupt GREv0 packets through NAT
+
+From: Jorge Boncompte <jorge@dti2.net>
+
+While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack
+and nat modules to a 2.4.32 kernel I noticed that the gre_key function
+returns a wrong pointer to the GRE key of a version 0 packet thus
+corrupting the packet payload.
+
+The intended behaviour for GREv0 packets is to act like
+nf_conntrack_proto_generic/nf_nat_proto_unknown so I have ripped the
+offending functions (not used anymore) and modified the
+nf_nat_proto_gre modules to not touch version 0 (non PPTP) packets.
+
+Signed-off-by: Jorge Boncompte <jorge@dti2.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+commit 244c67aee5750eb3a79c727d09c01a500e68bbbe
+tree 29bbce944bba681886a6d58c0c6b7bca3858c0e1
+parent 8d8b10482fffcb72b15515231bb942e2ad6395c9
+author Jorge Boncompte <jorge@dti2.net> Thu, 03 May 2007 02:50:51 +0200
+committer Patrick McHardy <kaber@trash.net> Thu, 03 May 2007 02:50:51 +0200
+
+ include/linux/netfilter/nf_conntrack_proto_gre.h | 18 ----------------
+ include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h | 19 -----------------
+ net/ipv4/netfilter/ip_nat_proto_gre.c | 20 +++++++-----------
+ net/ipv4/netfilter/nf_nat_proto_gre.c | 20 +++++++-----------
+ 4 files changed, 16 insertions(+), 61 deletions(-)
+
+--- linux-2.6.21.1.orig/include/linux/netfilter/nf_conntrack_proto_gre.h
++++ linux-2.6.21.1/include/linux/netfilter/nf_conntrack_proto_gre.h
+@@ -87,24 +87,6 @@ int nf_ct_gre_keymap_add(struct nf_conn
+ /* delete keymap entries */
+ void nf_ct_gre_keymap_destroy(struct nf_conn *ct);
+
+-/* get pointer to gre key, if present */
+-static inline __be32 *gre_key(struct gre_hdr *greh)
+-{
+- if (!greh->key)
+- return NULL;
+- if (greh->csum || greh->routing)
+- return (__be32 *)(greh+sizeof(*greh)+4);
+- return (__be32 *)(greh+sizeof(*greh));
+-}
+-
+-/* get pointer ot gre csum, if present */
+-static inline __sum16 *gre_csum(struct gre_hdr *greh)
+-{
+- if (!greh->csum)
+- return NULL;
+- return (__sum16 *)(greh+sizeof(*greh));
+-}
+-
+ extern void nf_ct_gre_keymap_flush(void);
+ extern void nf_nat_need_gre(void);
+
+--- linux-2.6.21.1.orig/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
++++ linux-2.6.21.1/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
+@@ -90,25 +90,6 @@ int ip_ct_gre_keymap_add(struct ip_connt
+ /* delete keymap entries */
+ void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
+
+-
+-/* get pointer to gre key, if present */
+-static inline __be32 *gre_key(struct gre_hdr *greh)
+-{
+- if (!greh->key)
+- return NULL;
+- if (greh->csum || greh->routing)
+- return (__be32 *) (greh+sizeof(*greh)+4);
+- return (__be32 *) (greh+sizeof(*greh));
+-}
+-
+-/* get pointer ot gre csum, if present */
+-static inline __sum16 *gre_csum(struct gre_hdr *greh)
+-{
+- if (!greh->csum)
+- return NULL;
+- return (__sum16 *) (greh+sizeof(*greh));
+-}
+-
+ #endif /* __KERNEL__ */
+
+ #endif /* _CONNTRACK_PROTO_GRE_H */
+--- linux-2.6.21.1.orig/net/ipv4/netfilter/ip_nat_proto_gre.c
++++ linux-2.6.21.1/net/ipv4/netfilter/ip_nat_proto_gre.c
+@@ -70,6 +70,11 @@ gre_unique_tuple(struct ip_conntrack_tup
+ __be16 *keyptr;
+ unsigned int min, i, range_size;
+
++ /* If there is no master conntrack we are not PPTP,
++ do not change tuples */
++ if (!conntrack->master)
++ return 0;
++
+ if (maniptype == IP_NAT_MANIP_SRC)
+ keyptr = &tuple->src.u.gre.key;
+ else
+@@ -122,18 +127,9 @@ gre_manip_pkt(struct sk_buff **pskb,
+ if (maniptype == IP_NAT_MANIP_DST) {
+ /* key manipulation is always dest */
+ switch (greh->version) {
+- case 0:
+- if (!greh->key) {
+- DEBUGP("can't nat GRE w/o key\n");
+- break;
+- }
+- if (greh->csum) {
+- /* FIXME: Never tested this code... */
+- nf_proto_csum_replace4(gre_csum(greh), *pskb,
+- *(gre_key(greh)),
+- tuple->dst.u.gre.key, 0);
+- }
+- *(gre_key(greh)) = tuple->dst.u.gre.key;
++ case GRE_VERSION_1701:
++ /* We do not currently NAT any GREv0 packets.
++ * Try to behave like "ip_nat_proto_unknown" */
+ break;
+ case GRE_VERSION_PPTP:
+ DEBUGP("call_id -> 0x%04x\n",
+--- linux-2.6.21.1.orig/net/ipv4/netfilter/nf_nat_proto_gre.c
++++ linux-2.6.21.1/net/ipv4/netfilter/nf_nat_proto_gre.c
+@@ -72,6 +72,11 @@ gre_unique_tuple(struct nf_conntrack_tup
+ __be16 *keyptr;
+ unsigned int min, i, range_size;
+
++ /* If there is no master conntrack we are not PPTP,
++ do not change tuples */
++ if (!conntrack->master)
++ return 0;
++
+ if (maniptype == IP_NAT_MANIP_SRC)
+ keyptr = &tuple->src.u.gre.key;
+ else
+@@ -122,18 +127,9 @@ gre_manip_pkt(struct sk_buff **pskb, uns
+ if (maniptype != IP_NAT_MANIP_DST)
+ return 1;
+ switch (greh->version) {
+- case 0:
+- if (!greh->key) {
+- DEBUGP("can't nat GRE w/o key\n");
+- break;
+- }
+- if (greh->csum) {
+- /* FIXME: Never tested this code... */
+- nf_proto_csum_replace4(gre_csum(greh), *pskb,
+- *(gre_key(greh)),
+- tuple->dst.u.gre.key, 0);
+- }
+- *(gre_key(greh)) = tuple->dst.u.gre.key;
++ case GRE_VERSION_1701:
++ /* We do not currently NAT any GREv0 packets.
++ * Try to behave like "nf_nat_proto_unknown" */
+ break;
+ case GRE_VERSION_PPTP:
+ DEBUGP("call_id -> 0x%04x\n", ntohs(tuple->dst.u.gre.key));
--- /dev/null
+From stable-bounces@linux.kernel.org Sat May 12 10:39:11 2007
+Message-Id: <200705121736.l4CHawq1012120@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sat, 12 May 2007 10:36:58 -0700
+Cc: Patrick.Schoeller@hp.com, akpm@linux-foundation.org, stable@kernel.org, minyard@acm.org
+Subject: IPMI: fix SI address space settings
+
+From: Corey Minyard <minyard@acm.org>
+
+Fix a rather obvious error that Patrick found in the setup routines. Need to
+set the proper address space in the ACPI case.
+
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Cc: Patrick Schoeller <Patrick.Schoeller@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/char/ipmi/ipmi_si_intf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/char/ipmi/ipmi_si_intf.c
++++ linux-2.6.21.1/drivers/char/ipmi/ipmi_si_intf.c
+@@ -1859,10 +1859,10 @@ static __devinit int try_init_acpi(struc
+
+ if (spmi->addr.space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
+ info->io_setup = mem_setup;
+- info->io.addr_type = IPMI_IO_ADDR_SPACE;
++ info->io.addr_type = IPMI_MEM_ADDR_SPACE;
+ } else if (spmi->addr.space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+ info->io_setup = port_setup;
+- info->io.addr_type = IPMI_MEM_ADDR_SPACE;
++ info->io.addr_type = IPMI_IO_ADDR_SPACE;
+ } else {
+ kfree(info);
+ printk("ipmi_si: Unknown ACPI I/O Address type\n");
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:38:35 2007
+Date: Tue, 15 May 2007 01:36:48 -0700 (PDT)
+Message-Id: <20070515.013648.68156824.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPSEC: Check validity of direction in xfrm_policy_byid
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+The function xfrm_policy_byid takes a dir argument but finds the policy
+using the index instead. We only use the dir argument to update the
+policy count for that direction. Since the user can supply any value
+for dir, this can corrupt our policy count.
+
+I know this is the problem because a few days ago I was deleting
+policies by hand using indicies and accidentally typed in the wrong
+direction. It still deleted the policy and at the time I thought
+that was cool. In retrospect it isn't such a good idea :)
+
+I decided against letting it delete the policy anyway just in case
+we ever remove the connection between indicies and direction.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- linux-2.6.21.1.orig/net/xfrm/xfrm_policy.c
++++ linux-2.6.21.1/net/xfrm/xfrm_policy.c
+@@ -782,6 +782,10 @@ struct xfrm_policy *xfrm_policy_byid(u8
+ struct hlist_head *chain;
+ struct hlist_node *entry;
+
++ *err = -ENOENT;
++ if (xfrm_policy_id2dir(id) != dir)
++ return NULL;
++
+ *err = 0;
+ write_lock_bh(&xfrm_policy_lock);
+ chain = xfrm_policy_byidx + idx_hash(id);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 00:06:43 2007
+Date: Tue, 15 May 2007 00:04:56 -0700 (PDT)
+Message-Id: <20070515.000456.116354901.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6: Do no rely on skb->dst before it is assigned.
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+Because skb->dst is assigned in ip6_route_input(), it is really
+bad to use it in hop-by-hop option handler(s).
+
+Closes: Bug #8450 (Eric Sesterhenn <snakebyte@gmx.de>)
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv6/exthdrs.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/exthdrs.c
++++ linux-2.6.21.1/net/ipv6/exthdrs.c
+@@ -638,6 +638,14 @@ EXPORT_SYMBOL_GPL(ipv6_invert_rthdr);
+ Hop-by-hop options.
+ **********************************/
+
++/*
++ * Note: we cannot rely on skb->dst before we assign it in ip6_route_input().
++ */
++static inline struct inet6_dev *ipv6_skb_idev(struct sk_buff *skb)
++{
++ return skb->dst ? ip6_dst_idev(skb->dst) : __in6_dev_get(skb->dev);
++}
++
+ /* Router Alert as of RFC 2711 */
+
+ static int ipv6_hop_ra(struct sk_buff **skbp, int optoff)
+@@ -664,25 +672,25 @@ static int ipv6_hop_jumbo(struct sk_buff
+ if (skb->nh.raw[optoff+1] != 4 || (optoff&3) != 2) {
+ LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n",
+ skb->nh.raw[optoff+1]);
+- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
++ IP6_INC_STATS_BH(ipv6_skb_idev(skb),
+ IPSTATS_MIB_INHDRERRORS);
+ goto drop;
+ }
+
+ pkt_len = ntohl(*(__be32*)(skb->nh.raw+optoff+2));
+ if (pkt_len <= IPV6_MAXPLEN) {
+- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INHDRERRORS);
+ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff+2);
+ return 0;
+ }
+ if (skb->nh.ipv6h->payload_len) {
+- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INHDRERRORS);
+ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff);
+ return 0;
+ }
+
+ if (pkt_len > skb->len - sizeof(struct ipv6hdr)) {
+- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INTRUNCATEDPKTS);
++ IP6_INC_STATS_BH(ipv6_skb_idev(skb), IPSTATS_MIB_INTRUNCATEDPKTS);
+ goto drop;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 01:22:55 2007
+Date: Wed, 09 May 2007 01:20:59 -0700 (PDT)
+Message-Id: <20070509.012059.10297819.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6: Fix slab corruption running ip6sic
+
+From: Eric Sesterhenn <snakebyte@gmx.de>
+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ipv6/xfrm6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/xfrm6_tunnel.c
++++ linux-2.6.21.1/net/ipv6/xfrm6_tunnel.c
+@@ -261,7 +261,7 @@ static int xfrm6_tunnel_rcv(struct sk_bu
+ __be32 spi;
+
+ spi = xfrm6_tunnel_spi_lookup((xfrm_address_t *)&iph->saddr);
+- return xfrm6_rcv_spi(skb, spi);
++ return xfrm6_rcv_spi(skb, spi) > 0 ? : 0;
+ }
+
+ static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:24:50 2007
+Date: Tue, 15 May 2007 01:22:59 -0700 (PDT)
+Message-Id: <20070515.012259.10298321.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6: Reverse sense of promisc tests in ip6_mc_input
+
+From: Corey Mutter <crm-netdev@mutternet.com>
+
+Reverse the sense of the promiscuous-mode tests in ip6_mc_input().
+
+Signed-off-by: Corey Mutter <crm-netdev@mutternet.com>
+Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv6/ip6_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/ip6_input.c
++++ linux-2.6.21.1/net/ipv6/ip6_input.c
+@@ -235,7 +235,7 @@ int ip6_mc_input(struct sk_buff *skb)
+ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INMCASTPKTS);
+
+ hdr = skb->nh.ipv6h;
+- deliver = likely(!(skb->dev->flags & (IFF_PROMISC|IFF_ALLMULTI))) ||
++ deliver = unlikely(skb->dev->flags & (IFF_PROMISC|IFF_ALLMULTI)) ||
+ ipv6_chk_mcast_addr(skb->dev, &hdr->daddr, NULL);
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 00:17:31 2007
+Date: Tue, 15 May 2007 00:15:44 -0700 (PDT)
+Message-Id: <20070515.001544.101595078.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6 ROUTE: Assign rt6i_idev for ip6_{prohibit,blk_hole}_entry.
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+I think this is less critical, but is also suitable for -stable
+release.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv6/addrconf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- linux-2.6.21.1.orig/net/ipv6/addrconf.c
++++ linux-2.6.21.1/net/ipv6/addrconf.c
+@@ -4062,6 +4062,10 @@ int __init addrconf_init(void)
+ return err;
+
+ ip6_null_entry.rt6i_idev = in6_dev_get(&loopback_dev);
++#ifdef CONFIG_IPV6_MULTIPLE_TABLES
++ ip6_prohibit_entry.rt6i_idev = in6_dev_get(&loopback_dev);
++ ip6_blk_hole_entry.rt6i_idev = in6_dev_get(&loopback_dev);
++#endif
+
+ register_netdevice_notifier(&ipv6_dev_notf);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 00:03:54 2007
+Date: Tue, 15 May 2007 00:02:07 -0700 (PDT)
+Message-Id: <20070515.000207.107940353.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: IPV6: Send ICMPv6 error on scope violations.
+
+From: David L Stevens <dlstevens@us.ibm.com>
+
+When an IPv6 router is forwarding a packet with a link-local scope source
+address off-link, RFC 4007 requires it to send an ICMPv6 destination
+unreachable with code 2 ("not neighbor"), but Linux doesn't. Fix below.
+
+Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv6/ip6_output.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/ip6_output.c
++++ linux-2.6.21.1/net/ipv6/ip6_output.c
+@@ -449,10 +449,17 @@ int ip6_forward(struct sk_buff *skb)
+ */
+ if (xrlim_allow(dst, 1*HZ))
+ ndisc_send_redirect(skb, n, target);
+- } else if (ipv6_addr_type(&hdr->saddr)&(IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK
+- |IPV6_ADDR_LINKLOCAL)) {
++ } else {
++ int addrtype = ipv6_addr_type(&hdr->saddr);
++
+ /* This check is security critical. */
+- goto error;
++ if (addrtype & (IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK))
++ goto error;
++ if (addrtype & IPV6_ADDR_LINKLOCAL) {
++ icmpv6_send(skb, ICMPV6_DEST_UNREACH,
++ ICMPV6_NOT_NEIGHBOUR, 0, skb->dev);
++ goto error;
++ }
+ }
+
+ if (skb->len > dst_mtu(dst)) {
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Apr 26 16:50:13 2007
+Date: Thu, 26 Apr 2007 16:42:47 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: <yoshfuji@linux-ipv6.org>, "David S. Miller" <davem@davemloft.net>
+Message-ID: <20070426164247.3b3b2c7a@freekitty>
+Cc: stable@kernel.org
+Subject: ipv6: track device renames in snmp6
+
+When network device's are renamed, the IPV6 snmp6 code
+gets confused. It doesn't track name changes so it will OOPS
+when network device's are removed.
+
+The fix is trivial, just unregister/re-register in notify handler.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv6/addrconf.c | 6 ++++--
+ net/ipv6/proc.c | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/addrconf.c
++++ linux-2.6.21.1/net/ipv6/addrconf.c
+@@ -2281,8 +2281,9 @@ static int addrconf_notify(struct notifi
+ break;
+
+ case NETDEV_CHANGENAME:
+-#ifdef CONFIG_SYSCTL
+ if (idev) {
++ snmp6_unregister_dev(idev);
++#ifdef CONFIG_SYSCTL
+ addrconf_sysctl_unregister(&idev->cnf);
+ neigh_sysctl_unregister(idev->nd_parms);
+ neigh_sysctl_register(dev, idev->nd_parms,
+@@ -2290,8 +2291,9 @@ static int addrconf_notify(struct notifi
+ &ndisc_ifinfo_sysctl_change,
+ NULL);
+ addrconf_sysctl_register(idev, &idev->cnf);
+- }
+ #endif
++ snmp6_register_dev(idev);
++ }
+ break;
+ };
+
+--- linux-2.6.21.1.orig/net/ipv6/proc.c
++++ linux-2.6.21.1/net/ipv6/proc.c
+@@ -236,6 +236,7 @@ int snmp6_unregister_dev(struct inet6_de
+ return -EINVAL;
+ remove_proc_entry(idev->stats.proc_dir_entry->name,
+ proc_net_devsnmp6);
++ idev->stats.proc_dir_entry = NULL;
+ return 0;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 20:55:43 2007
+From: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+To: stable@kernel.org
+Date: Tue, 15 May 2007 22:53:36 -0500
+Message-Id: <1179287616.8339.8.camel@kleikamp.austin.ibm.com>
+Cc: linux-kernel <linux-kernel@vger.kernel.org>
+Subject: JFS: Fix race waking up jfsIO kernel thread
+
+It's possible for a journal I/O request to be added to the log_redrive
+queue and the jfsIO thread to be awakened after the thread releases
+log_redrive_lock but before it sets its state to TASK_INTERRUPTIBLE.
+
+The jfsIO thread should set the state before giving up the spinlock, so
+the waking thread will really wake it.
+
+Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/jfs/jfs_logmgr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/fs/jfs/jfs_logmgr.c
++++ linux-2.6.21.1/fs/jfs/jfs_logmgr.c
+@@ -2354,12 +2354,13 @@ int jfsIOWait(void *arg)
+ lbmStartIO(bp);
+ spin_lock_irq(&log_redrive_lock);
+ }
+- spin_unlock_irq(&log_redrive_lock);
+
+ if (freezing(current)) {
++ spin_unlock_irq(&log_redrive_lock);
+ refrigerator();
+ } else {
+ set_current_state(TASK_INTERRUPTIBLE);
++ spin_unlock_irq(&log_redrive_lock);
+ schedule();
+ current->state = TASK_RUNNING;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 2 12:49:39 2007
+Date: Wed, 2 May 2007 21:48:37 +0200
+From: Sam Ravnborg <sam@ravnborg.org>
+To: stable@kernel.org
+Message-ID: <20070502194837.GB9044@uranus.ravnborg.org>
+Subject: kbuild: fixdep segfault on pathological string-o-death
+
+From: Andy Green <andy@warmcat.com>
+
+build scripts: fixdep blows segfault on string CONFIG_MODULE seen
+
+The string "CONFIG_MODULE" appearing anywhere in a source file causes
+fixdep to segfault. This string appeared in the wild in the current
+mISDN sources (I think they meant CONFIG_MODULES). But it shouldn't
+segfault (esp as CONFIG_MODULE appeared in a quoted string).
+
+Signed-off-by: Andy Green <andy@warmcat.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+This is not an important fix per see - but I do not like SEGV during compilation...
+Will be pushed to Linus today.
+
+ Sam
+
+ scripts/basic/fixdep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.21.1.orig/scripts/basic/fixdep.c
++++ linux-2.6.21.1/scripts/basic/fixdep.c
+@@ -249,6 +249,8 @@ void parse_config_file(char *map, size_t
+ found:
+ if (!memcmp(q - 7, "_MODULE", 7))
+ q -= 7;
++ if( (q-p-7) < 0 )
++ continue;
+ use_config(p+7, q-p-7);
+ }
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Sun May 6 17:37:33 2007
+From: NeilBrown <neilb@suse.de>
+To: Andrew Morton <akpm@linux-foundation.org>
+Date: Mon, 7 May 2007 10:35:15 +1000
+Message-Id: <1070507003515.24070@suse.de>
+Cc: Neil Brown <neilb@suse.de>, nfs@lists.sourceforge.net, stable@kernel.org
+Subject: knfsd: Avoid use of unitialised variables on error path when nfs exports.
+
+We need to zero various parts of 'exp' before any 'goto out', otherwise
+when we go to free the contents... we die.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/nfsd/export.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff .prev/fs/nfsd/export.c ./fs/nfsd/export.c
+--- linux-2.6.21.1.orig/fs/nfsd/export.c
++++ linux-2.6.21.1/fs/nfsd/export.c
+@@ -469,6 +469,13 @@ static int svc_export_parse(struct cache
+ nd.dentry = NULL;
+ exp.ex_path = NULL;
+
++ /* fs locations */
++ exp.ex_fslocs.locations = NULL;
++ exp.ex_fslocs.locations_count = 0;
++ exp.ex_fslocs.migrated = 0;
++
++ exp.ex_uuid = NULL;
++
+ if (mesg[mlen-1] != '\n')
+ return -EINVAL;
+ mesg[mlen-1] = 0;
+@@ -509,13 +516,6 @@ static int svc_export_parse(struct cache
+ if (exp.h.expiry_time == 0)
+ goto out;
+
+- /* fs locations */
+- exp.ex_fslocs.locations = NULL;
+- exp.ex_fslocs.locations_count = 0;
+- exp.ex_fslocs.migrated = 0;
+-
+- exp.ex_uuid = NULL;
+-
+ /* flags */
+ err = get_int(&mesg, &an_int);
+ if (err == -ENOENT)
--- /dev/null
+From stable-bounces@linux.kernel.org Sun May 6 17:37:48 2007
+From: NeilBrown <neilb@suse.de>
+To: Andrew Morton <akpm@linux-foundation.org>
+Date: Mon, 7 May 2007 10:35:21 +1000
+Message-Id: <1070507003521.24086@suse.de>
+Cc: Neil Brown <neilb@suse.de>, "J. Bruce Fields" <bfields@citi.umich.edu>, nfs@lists.sourceforge.net, stable@kernel.org
+Subject: knfsd: rpc: fix server-side wrapping of krb5i replies
+
+It's not necessarily correct to assume that the xdr_buf used to hold the
+server's reply must have page data whenever it has tail data.
+
+And there's no need for us to deal with that case separately anyway.
+
+Acked-by: "J. Bruce Fields" <bfields@citi.umich.edu>
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/sunrpc/auth_gss/svcauth_gss.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff .prev/net/sunrpc/auth_gss/svcauth_gss.c ./net/sunrpc/auth_gss/svcauth_gss.c
+--- linux-2.6.21.1.orig/net/sunrpc/auth_gss/svcauth_gss.c
++++ linux-2.6.21.1/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1196,13 +1196,7 @@ svcauth_gss_wrap_resp_integ(struct svc_r
+ if (xdr_buf_subsegment(resbuf, &integ_buf, integ_offset,
+ integ_len))
+ BUG();
+- if (resbuf->page_len == 0
+- && resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE
+- < PAGE_SIZE) {
+- BUG_ON(resbuf->tail[0].iov_len);
+- /* Use head for everything */
+- resv = &resbuf->head[0];
+- } else if (resbuf->tail[0].iov_base == NULL) {
++ if (resbuf->tail[0].iov_base == NULL) {
+ if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE > PAGE_SIZE)
+ goto out_err;
+ resbuf->tail[0].iov_base = resbuf->head[0].iov_base
--- /dev/null
+From linux-kernel-owner+glk-linux-kernel-3=40m.gmane.org-S932184AbXEALti@vger.kernel.org Wed May 16 17:02:07 2007
+Date: Tue, 1 May 2007 12:53:27 +0100
+Message-ID: <20070501125327.52dd92e4@the-village.bc.nu>
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+To: Tejun Heo <htejun@gmail.com>, jeff@garzik.org
+Subject: libata-sff: Undo bug introduced with pci_iomap changes
+
+If you have a controller with one channel disabled and unmapped the new
+iomap code blindly tries to iomap unconfigured BARs. Later on the code
+does the right thing and checks for unmapped bars but it is done in the
+wrong order
+
+Reorder the checks and make the iomap conditional
+
+Tejun: I think the code below is now correct but would appreciate you
+giving it a review.
+
+Signed-off-by: Alan Cox <alan@redhat.com>
+Acked-by: Tejun Heo <htejun@gmail.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+[chrisw: Why is this not upstream yet?]
+
+ drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/ata/libata-sff.c
++++ linux-2.6.21.1/drivers/ata/libata-sff.c
+@@ -557,12 +557,30 @@ ata_pci_init_native_mode(struct pci_dev
+ int i, p = 0;
+ void __iomem * const *iomap;
+
++ /* Discard disabled ports. Some controllers show their
++ unused channels this way */
++ if (ata_resources_present(pdev, 0) == 0)
++ ports &= ~ATA_PORT_PRIMARY;
++ if (ata_resources_present(pdev, 1) == 0)
++ ports &= ~ATA_PORT_SECONDARY;
++
+ /* iomap BARs */
+- for (i = 0; i < 4; i++) {
+- if (pcim_iomap(pdev, i, 0) == NULL) {
+- dev_printk(KERN_ERR, &pdev->dev,
+- "failed to iomap PCI BAR %d\n", i);
+- return NULL;
++ if (ports & ATA_PORT_PRIMARY) {
++ for (i = 0; i <= 1; i++) {
++ if (pcim_iomap(pdev, i, 0) == NULL) {
++ dev_printk(KERN_ERR, &pdev->dev,
++ "failed to iomap PCI BAR %d\n", i);
++ return NULL;
++ }
++ }
++ }
++ if (ports & ATA_PORT_SECONDARY) {
++ for (i = 2; i <= 3; i++) {
++ if (pcim_iomap(pdev, i, 0) == NULL) {
++ dev_printk(KERN_ERR, &pdev->dev,
++ "failed to iomap PCI BAR %d\n", i);
++ return NULL;
++ }
+ }
+ }
+
+@@ -577,13 +595,6 @@ ata_pci_init_native_mode(struct pci_dev
+ probe_ent->irq = pdev->irq;
+ probe_ent->irq_flags = IRQF_SHARED;
+
+- /* Discard disabled ports. Some controllers show their
+- unused channels this way */
+- if (ata_resources_present(pdev, 0) == 0)
+- ports &= ~ATA_PORT_PRIMARY;
+- if (ata_resources_present(pdev, 1) == 0)
+- ports &= ~ATA_PORT_SECONDARY;
+-
+ if (ports & ATA_PORT_PRIMARY) {
+ probe_ent->port[p].cmd_addr = iomap[0];
+ probe_ent->port[p].altstatus_addr =
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 23:24:47 2007
+From: NeilBrown <neilb@suse.de>
+To: Andrew Morton <akpm@linux-foundation.org>
+Date: Thu, 10 May 2007 16:22:25 +1000
+Message-Id: <1070510062225.20388@suse.de>
+Cc: linux-raid@vger.kernel.org, Neil Brown <neilb@suse.de>, stable@kernel.org
+Subject: md: Avoid a possibility that a read error can wrongly propagate through md/raid1 to a filesystem.
+
+When a raid1 has only one working drive, we want read error to
+propagate up to the filesystem as there is no point failing the last
+drive in an array.
+
+Currently the code perform this check is racy. If a write and a read
+a both submitted to a device on a 2-drive raid1, and the write fails
+followed by the read failing, the read will see that there is only one
+working drive and will pass the failure up, even though the one
+working drive is actually the *other* one.
+
+So, tighten up the locking.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/md/raid1.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff .prev/drivers/md/raid1.c ./drivers/md/raid1.c
+--- linux-2.6.21.1.orig/drivers/md/raid1.c
++++ linux-2.6.21.1/drivers/md/raid1.c
+@@ -271,21 +271,25 @@ static int raid1_end_read_request(struct
+ */
+ update_head_pos(mirror, r1_bio);
+
+- if (uptodate || (conf->raid_disks - conf->mddev->degraded) <= 1) {
+- /*
+- * Set R1BIO_Uptodate in our master bio, so that
+- * we will return a good error code for to the higher
+- * levels even if IO on some other mirrored buffer fails.
+- *
+- * The 'master' represents the composite IO operation to
+- * user-side. So if something waits for IO, then it will
+- * wait for the 'master' bio.
++ if (uptodate)
++ set_bit(R1BIO_Uptodate, &r1_bio->state);
++ else {
++ /* If all other devices have failed, we want to return
++ * the error upwards rather than fail the last device.
++ * Here we redefine "uptodate" to mean "Don't want to retry"
+ */
+- if (uptodate)
+- set_bit(R1BIO_Uptodate, &r1_bio->state);
++ unsigned long flags;
++ spin_lock_irqsave(&conf->device_lock, flags);
++ if (r1_bio->mddev->degraded == conf->raid_disks ||
++ (r1_bio->mddev->degraded == conf->raid_disks-1 &&
++ !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags)))
++ uptodate = 1;
++ spin_unlock_irqrestore(&conf->device_lock, flags);
++ }
+
++ if (uptodate)
+ raid_end_bio_io(r1_bio);
+- } else {
++ else {
+ /*
+ * oops, read error:
+ */
+@@ -992,13 +996,14 @@ static void error(mddev_t *mddev, mdk_rd
+ unsigned long flags;
+ spin_lock_irqsave(&conf->device_lock, flags);
+ mddev->degraded++;
++ set_bit(Faulty, &rdev->flags);
+ spin_unlock_irqrestore(&conf->device_lock, flags);
+ /*
+ * if recovery is running, make sure it aborts.
+ */
+ set_bit(MD_RECOVERY_ERR, &mddev->recovery);
+- }
+- set_bit(Faulty, &rdev->flags);
++ } else
++ set_bit(Faulty, &rdev->flags);
+ set_bit(MD_CHANGE_DEVS, &mddev->flags);
+ printk(KERN_ALERT "raid1: Disk failure on %s, disabling device. \n"
+ " Operation continuing on %d devices\n",
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:25:35 2007
+Date: Tue, 15 May 2007 01:23:46 -0700 (PDT)
+Message-Id: <20070515.012346.34759663.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: NET_SCHED: prio qdisc boundary condition
+
+From: Jamal Hadi Salim <hadi@cyberus.ca>
+
+This fixes an out-of-boundary condition when the classified
+band equals q->bands. Caught by Alexey
+
+Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/sched/sch_prio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/net/sched/sch_prio.c
++++ linux-2.6.21.1/net/sched/sch_prio.c
+@@ -74,7 +74,7 @@ prio_classify(struct sk_buff *skb, struc
+ band = res.classid;
+ }
+ band = TC_H_MIN(band) - 1;
+- if (band > q->bands)
++ if (band >= q->bands)
+ return q->queues[q->prio2band[0]];
+
+ return q->queues[band];
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 16 09:58:34 2007
+Message-ID: <464B37AB.5040802@trash.net>
+Date: Wed, 16 May 2007 18:56:11 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, "David S. Miller" <davem@davemloft.net>
+Subject: NETFILTER: {ip,nf}_conntrack: fix use-after-free in helper destroy callback invocation
+
+When the helper module is removed for a master connection that has a
+fulfilled expectation, but has already timed out and got removed from
+the hash tables, nf_conntrack_helper_unregister can't find the master
+connection to unset the helper, causing a use-after-free when the
+expected connection is destroyed and releases the last reference to
+the master.
+
+The helper destroy callback was introduced for the PPtP helper to clean
+up expectations and expected connections when the master connection
+times out, but doing this from destroy_conntrack only works for
+unfulfilled expectations since expected connections hold a reference
+to the master, preventing its destruction. Move the destroy callback to
+the timeout function, which fixes both problems.
+
+Reported/tested by Gabor Burjan <buga@buvoshetes.hu>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+commit 441f15ce23ef5c4d149b7e7985f63c1ddd334c45
+tree 8783e067803def0fc2773ef3515190143ac47320
+parent 8d8b10482fffcb72b15515231bb942e2ad6395c9
+author Patrick McHardy <kaber@trash.net> Wed, 16 May 2007 18:52:36 +0200
+committer Patrick McHardy <kaber@trash.net> Wed, 16 May 2007 18:52:36 +0200
+
+ net/ipv4/netfilter/ip_conntrack_core.c | 10 +++++-----
+ net/netfilter/nf_conntrack_core.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv4/netfilter/ip_conntrack_core.c
++++ linux-2.6.21.1/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -302,7 +302,6 @@ destroy_conntrack(struct nf_conntrack *n
+ {
+ struct ip_conntrack *ct = (struct ip_conntrack *)nfct;
+ struct ip_conntrack_protocol *proto;
+- struct ip_conntrack_helper *helper;
+ typeof(ip_conntrack_destroyed) destroyed;
+
+ DEBUGP("destroy_conntrack(%p)\n", ct);
+@@ -312,10 +311,6 @@ destroy_conntrack(struct nf_conntrack *n
+ ip_conntrack_event(IPCT_DESTROY, ct);
+ set_bit(IPS_DYING_BIT, &ct->status);
+
+- helper = ct->helper;
+- if (helper && helper->destroy)
+- helper->destroy(ct);
+-
+ /* To make sure we don't get any weird locking issues here:
+ * destroy_conntrack() MUST NOT be called with a write lock
+ * to ip_conntrack_lock!!! -HW */
+@@ -356,6 +351,11 @@ destroy_conntrack(struct nf_conntrack *n
+ static void death_by_timeout(unsigned long ul_conntrack)
+ {
+ struct ip_conntrack *ct = (void *)ul_conntrack;
++ struct ip_conntrack_helper *helper;
++
++ helper = ct->helper;
++ if (helper && helper->destroy)
++ helper->destroy(ct);
+
+ write_lock_bh(&ip_conntrack_lock);
+ /* Inside lock so preempt is disabled on module removal path.
+--- linux-2.6.21.1.orig/net/netfilter/nf_conntrack_core.c
++++ linux-2.6.21.1/net/netfilter/nf_conntrack_core.c
+@@ -315,7 +315,6 @@ static void
+ destroy_conntrack(struct nf_conntrack *nfct)
+ {
+ struct nf_conn *ct = (struct nf_conn *)nfct;
+- struct nf_conn_help *help = nfct_help(ct);
+ struct nf_conntrack_l3proto *l3proto;
+ struct nf_conntrack_l4proto *l4proto;
+ typeof(nf_conntrack_destroyed) destroyed;
+@@ -327,9 +326,6 @@ destroy_conntrack(struct nf_conntrack *n
+ nf_conntrack_event(IPCT_DESTROY, ct);
+ set_bit(IPS_DYING_BIT, &ct->status);
+
+- if (help && help->helper && help->helper->destroy)
+- help->helper->destroy(ct);
+-
+ /* To make sure we don't get any weird locking issues here:
+ * destroy_conntrack() MUST NOT be called with a write lock
+ * to nf_conntrack_lock!!! -HW */
+@@ -375,6 +371,10 @@ destroy_conntrack(struct nf_conntrack *n
+ static void death_by_timeout(unsigned long ul_conntrack)
+ {
+ struct nf_conn *ct = (void *)ul_conntrack;
++ struct nf_conn_help *help = nfct_help(ct);
++
++ if (help && help->helper && help->helper->destroy)
++ help->helper->destroy(ct);
+
+ write_lock_bh(&nf_conntrack_lock);
+ /* Inside lock so preempt is disabled on module removal path.
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 01:29:47 2007
+Date: Wed, 09 May 2007 01:27:55 -0700 (PDT)
+Message-Id: <20070509.012755.02298606.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: NETPOLL: Fix TX queue overflow in trapped mode.
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+CONFIG_NETPOLL_TRAP causes the TX queue controls to be completely bypassed in
+the netpoll's "trapped" mode which easily causes overflows in the drivers with
+short TX queues (most notably, in 8139too with its 4-deep queue). So, make
+this option more sensible by making it only bypass the TX softirq wakeup.
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Acked-by: Jeff Garzik <jgarzik@pobox.com>
+Acked-by: Tom Rini <trini@kernel.crashing.org>
+Acked-by: Matt Mackall <mpm@selenic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ include/linux/netdevice.h | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- linux-2.6.21.1.orig/include/linux/netdevice.h
++++ linux-2.6.21.1/include/linux/netdevice.h
+@@ -647,8 +647,10 @@ static inline void netif_start_queue(str
+ static inline void netif_wake_queue(struct net_device *dev)
+ {
+ #ifdef CONFIG_NETPOLL_TRAP
+- if (netpoll_trap())
++ if (netpoll_trap()) {
++ clear_bit(__LINK_STATE_XOFF, &dev->state);
+ return;
++ }
+ #endif
+ if (test_and_clear_bit(__LINK_STATE_XOFF, &dev->state))
+ __netif_schedule(dev);
+@@ -656,10 +658,6 @@ static inline void netif_wake_queue(stru
+
+ static inline void netif_stop_queue(struct net_device *dev)
+ {
+-#ifdef CONFIG_NETPOLL_TRAP
+- if (netpoll_trap())
+- return;
+-#endif
+ set_bit(__LINK_STATE_XOFF, &dev->state);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 01:31:23 2007
+Date: Wed, 09 May 2007 01:29:18 -0700 (PDT)
+Message-Id: <20070509.012918.68157237.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: NETPOLL: Remove CONFIG_NETPOLL_RX
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+Get rid of the CONFIG_NETPOLL_RX option completely since all the
+dependencies have been removed long ago...
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Acked-by: Jeff Garzik <jgarzik@pobox.com>
+Acked-by: Matt Mackall <mpm@selenic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/Kconfig | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/Kconfig
++++ linux-2.6.21.1/drivers/net/Kconfig
+@@ -2929,11 +2929,6 @@ endif #NETDEVICES
+ config NETPOLL
+ def_bool NETCONSOLE
+
+-config NETPOLL_RX
+- bool "Netpoll support for trapping incoming packets"
+- default n
+- depends on NETPOLL
+-
+ config NETPOLL_TRAP
+ bool "Netpoll traffic trapping"
+ default n
--- /dev/null
+From stable-bounces@linux.kernel.org Sun May 6 15:23:33 2007
+Message-Id: <200705062150.l46Lo1r4024550@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sun, 06 May 2007 14:50:00 -0700
+Cc: npiggin@suse.de, clameter@engr.sgi.com, ak@suse.de, mbligh@mbligh.org, rientjes@google.com, akpm@linux-foundation.org, stable@kernel.org
+Subject: oom: fix constraint deadlock
+
+From: David Rientjes <rientjes@google.com>
+
+Fixes a deadlock in the OOM killer for allocations that are not
+__GFP_HARDWALL.
+
+Before the OOM killer checks for the allocation constraint, it takes
+callback_mutex.
+
+constrained_alloc() iterates through each zone in the allocation zonelist
+and calls cpuset_zone_allowed_softwall() to determine whether an allocation
+for gfp_mask is possible. If a zone's node is not in the OOM-triggering
+task's mems_allowed, it is not exiting, and we did not fail on a
+__GFP_HARDWALL allocation, cpuset_zone_allowed_softwall() attempts to take
+callback_mutex to check the nearest exclusive ancestor of current's cpuset.
+ This results in deadlock.
+
+We now take callback_mutex after iterating through the zonelist since we
+don't need it yet.
+
+Cc: Andi Kleen <ak@suse.de>
+Cc: Nick Piggin <npiggin@suse.de>
+Cc: Christoph Lameter <clameter@engr.sgi.com>
+Cc: Martin J. Bligh <mbligh@mbligh.org>
+Signed-off-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ mm/oom_kill.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/mm/oom_kill.c
++++ linux-2.6.21.1/mm/oom_kill.c
+@@ -397,6 +397,7 @@ void out_of_memory(struct zonelist *zone
+ struct task_struct *p;
+ unsigned long points = 0;
+ unsigned long freed = 0;
++ int constraint;
+
+ blocking_notifier_call_chain(&oom_notify_list, 0, &freed);
+ if (freed > 0)
+@@ -411,14 +412,15 @@ void out_of_memory(struct zonelist *zone
+ show_mem();
+ }
+
+- cpuset_lock();
+- read_lock(&tasklist_lock);
+-
+ /*
+ * Check if there were limitations on the allocation (only relevant for
+ * NUMA) that may require different handling.
+ */
+- switch (constrained_alloc(zonelist, gfp_mask)) {
++ constraint = constrained_alloc(zonelist, gfp_mask);
++ cpuset_lock();
++ read_lock(&tasklist_lock);
++
++ switch (constraint) {
+ case CONSTRAINT_MEMORY_POLICY:
+ oom_kill_process(current, points,
+ "No available memory (MPOL_BIND)");
--- /dev/null
+From stable-bounces@linux.kernel.org Thu May 10 23:01:01 2007
+Message-Id: <200705110558.l4B5wpgh007979@shell0.pdx.osdl.net>
+To: greg@kroah.com
+From: akpm@linux-foundation.org
+Date: Thu, 10 May 2007 22:58:51 -0700
+Cc: akpm@linux-foundation.org, htejun@gmail.com, stable@kernel.org, jeff@garzik.org, torresmat@gmail.com
+Subject: pci-quirks: disable MSI on RS400-200 and RS480
+
+From: Tejun Heo <htejun@gmail.com>
+
+MSI doesn't work on RS400-200 and RS480 requiring pci=nomsi kernel boot
+parameter for ahci to work. This patch renames quirk_svw_msi() to
+quirk_disable_all_msi() and use it to disable MSI on those chips.
+
+ http://thread.gmane.org/gmane.linux.ide/17820
+ http://thread.gmane.org/gmane.linux.ide/17516
+ https://bugzilla.novell.com/show_bug.cgi?id=263893
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Cc: MatÃ-as Alejandro Torres <torresmat@gmail.com>
+Cc: Greg K-H <greg@kroah.com>
+Cc: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/pci/quirks.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/pci/quirks.c
++++ linux-2.6.21.1/drivers/pci/quirks.c
+@@ -1737,18 +1737,20 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_N
+ quirk_nvidia_ck804_pcie_aer_ext_cap);
+
+ #ifdef CONFIG_PCI_MSI
+-/* The Serverworks PCI-X chipset does not support MSI. We cannot easily rely
+- * on setting PCI_BUS_FLAGS_NO_MSI in its bus flags because there are actually
+- * some other busses controlled by the chipset even if Linux is not aware of it.
+- * Instead of setting the flag on all busses in the machine, simply disable MSI
+- * globally.
++/* Some chipsets do not support MSI. We cannot easily rely on setting
++ * PCI_BUS_FLAGS_NO_MSI in its bus flags because there are actually
++ * some other busses controlled by the chipset even if Linux is not
++ * aware of it. Instead of setting the flag on all busses in the
++ * machine, simply disable MSI globally.
+ */
+-static void __init quirk_svw_msi(struct pci_dev *dev)
++static void __init quirk_disable_all_msi(struct pci_dev *dev)
+ {
+ pci_no_msi();
+ printk(KERN_WARNING "PCI: MSI quirk detected. MSI deactivated.\n");
+ }
+-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_GCNB_LE, quirk_svw_msi);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_SERVERWORKS, PCI_DEVICE_ID_SERVERWORKS_GCNB_LE, quirk_disable_all_msi);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_disable_all_msi);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi);
+
+ /* Disable MSI on chipsets that are known to not support it */
+ static void __devinit quirk_disable_msi(struct pci_dev *dev)
--- /dev/null
+From stable-bounces@linux.kernel.org Sun May 6 15:22:41 2007
+Message-Id: <200705062151.l46LpuEB025013@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sun, 06 May 2007 14:51:56 -0700
+Cc: akpm@linux-foundation.org, stefan.wenk@gmx.at, rpurdie@rpsys.net, stable@kernel.org
+Subject: ppp: Fix ppp_deflate issues with recent zlib_inflate changes
+
+From: Richard Purdie <rpurdie@rpsys.net>
+
+The last zlib_inflate update broke certain corner cases for ppp_deflate
+decompression handling. This patch fixes some logic to make things work
+properly again. Users other than ppp_deflate (the only Z_PACKET_FLUSH
+user) should be unaffected.
+
+Fixes bug 8405 (confirmed by Stefan)
+
+Signed-off-by: Richard Purdie <rpurdie@rpsys.net>
+Cc: Stefan Wenk <stefan.wenk@gmx.at>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ lib/zlib_inflate/inflate.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/lib/zlib_inflate/inflate.c
++++ linux-2.6.21.1/lib/zlib_inflate/inflate.c
+@@ -743,12 +743,14 @@ int zlib_inflate(z_streamp strm, int flu
+
+ strm->data_type = state->bits + (state->last ? 64 : 0) +
+ (state->mode == TYPE ? 128 : 0);
+- if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)
+- ret = Z_BUF_ERROR;
+
+ if (flush == Z_PACKET_FLUSH && ret == Z_OK &&
+- (strm->avail_out != 0 || strm->avail_in == 0))
++ strm->avail_out != 0 && strm->avail_in == 0)
+ return zlib_inflateSyncPacket(strm);
++
++ if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)
++ ret = Z_BUF_ERROR;
++
+ return ret;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Apr 30 15:11:55 2007
+Message-Id: <200704302209.l3UM9oqQ016058@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Mon, 30 Apr 2007 15:09:50 -0700
+Cc: tiwai@suse.de, adaplas@pol.net, akpm@linux-foundation.org, stable@kernel.org, jeffm@suse.de
+Subject: reiserfs: suppress lockdep warning
+
+From: Jeff Mahoney <jeffm@suse.de>
+
+We're getting lockdep warnings due to a post-2.6.21-rc7 bugfix.
+
+The xattr_sem can never be taken in the manner described. Internal inodes
+are protected by I_PRIVATE. Add the appropriate annotation.
+
+Cc: <stable@kernel.org>
+Cc: "Antonino A. Daplas" <adaplas@pol.net>
+Cc: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/reiserfs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/fs/reiserfs/xattr.c
++++ linux-2.6.21.1/fs/reiserfs/xattr.c
+@@ -68,7 +68,7 @@ static struct dentry *get_xa_root(struct
+ if (!privroot)
+ return ERR_PTR(-ENODATA);
+
+- mutex_lock(&privroot->d_inode->i_mutex);
++ mutex_lock_nested(&privroot->d_inode->i_mutex, I_MUTEX_XATTR);
+ if (REISERFS_SB(sb)->xattr_root) {
+ xaroot = dget(REISERFS_SB(sb)->xattr_root);
+ goto out;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri May 11 09:19:11 2007
+Date: Sat, 12 May 2007 01:17:28 +0900 (JST)
+Message-Id: <20070512.011728.16743460.yoshfuji@linux-ipv6.org>
+To: davem@davemloft.net
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Cc: yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, stable@kernel.org
+Subject: IPV6: Restore semantics of Routing Header processing.
+
+The "fix" for emerging security threats was overkill and it broke
+basic semantic of IPv6 routing header processing. We should assume
+RT0 (or even RT2, depends on configuration) as "unknown" RH type so
+that we
+- silently ignore the routing header if segleft == 0
+- or, send ICMPv6 Parameter Problem message back to the sender,
+ otherwise.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/ipv6/exthdrs.c | 46 ++++++++++++++++------------------------------
+ 1 file changed, 16 insertions(+), 30 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv6/exthdrs.c
++++ linux-2.6.21.1/net/ipv6/exthdrs.c
+@@ -368,22 +368,13 @@ static int ipv6_rthdr_rcv(struct sk_buff
+ struct rt0_hdr *rthdr;
+ int accept_source_route = ipv6_devconf.accept_source_route;
+
+- if (accept_source_route < 0 ||
+- ((idev = in6_dev_get(skb->dev)) == NULL)) {
+- kfree_skb(skb);
+- return -1;
+- }
+- if (idev->cnf.accept_source_route < 0) {
++ idev = in6_dev_get(skb->dev);
++ if (idev) {
++ if (accept_source_route > idev->cnf.accept_source_route)
++ accept_source_route = idev->cnf.accept_source_route;
+ in6_dev_put(idev);
+- kfree_skb(skb);
+- return -1;
+ }
+
+- if (accept_source_route > idev->cnf.accept_source_route)
+- accept_source_route = idev->cnf.accept_source_route;
+-
+- in6_dev_put(idev);
+-
+ if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) ||
+ !pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3))) {
+ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
+@@ -394,23 +385,6 @@ static int ipv6_rthdr_rcv(struct sk_buff
+
+ hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+
+- switch (hdr->type) {
+-#ifdef CONFIG_IPV6_MIP6
+- case IPV6_SRCRT_TYPE_2:
+- break;
+-#endif
+- case IPV6_SRCRT_TYPE_0:
+- if (accept_source_route > 0)
+- break;
+- kfree_skb(skb);
+- return -1;
+- default:
+- IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
+- IPSTATS_MIB_INHDRERRORS);
+- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+- return -1;
+- }
+-
+ if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
+ skb->pkt_type != PACKET_HOST) {
+ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
+@@ -450,6 +424,8 @@ looped_back:
+
+ switch (hdr->type) {
+ case IPV6_SRCRT_TYPE_0:
++ if (accept_source_route <= 0)
++ goto unknown_rh;
+ if (hdr->hdrlen & 0x01) {
+ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
+ IPSTATS_MIB_INHDRERRORS);
+@@ -459,6 +435,8 @@ looped_back:
+ break;
+ #ifdef CONFIG_IPV6_MIP6
+ case IPV6_SRCRT_TYPE_2:
++ if (accept_source_route < 0)
++ goto unknown_rh;
+ /* Silently discard invalid RTH type 2 */
+ if (hdr->hdrlen != 2 || hdr->segments_left != 1) {
+ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
+@@ -468,6 +446,8 @@ looped_back:
+ }
+ break;
+ #endif
++ default:
++ goto unknown_rh;
+ }
+
+ /*
+@@ -569,6 +549,12 @@ looped_back:
+ skb_push(skb, skb->data - skb->nh.raw);
+ dst_input(skb);
+ return -1;
++
++unknown_rh:
++ IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
++ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
++ (&hdr->type) - skb->nh.raw);
++ return -1;
+ }
+
+ static struct inet6_protocol rthdr_protocol = {
--- /dev/null
+From stable-bounces@linux.kernel.org Fri May 4 06:32:42 2007
+Message-ID: <463B357A.4090703@gmail.com>
+Date: Fri, 04 May 2007 15:30:34 +0200
+From: Tejun Heo <htejun@gmail.com>
+To: Jeff Garzik <jeff@garzik.org>, IDE/ATA development list <linux-ide@vger.kernel.org>, stable@kernel.org
+Cc: Jeroen Janssen <jeroen.janssen@gmail.com>
+Subject: sata_via: add missing PM hooks
+
+For some reason, sata_via is missing PM hooks. Add them. Spotted by
+Jeroen Janssen <jeroen.janssen@gmail.com>.
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Cc: Jeroen Janssen <jeroen.janssen@gmail.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/ata/sata_via.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/ata/sata_via.c
++++ linux-2.6.21.1/drivers/ata/sata_via.c
+@@ -97,6 +97,10 @@ static struct pci_driver svia_pci_driver
+ .name = DRV_NAME,
+ .id_table = svia_pci_tbl,
+ .probe = svia_init_one,
++#ifdef CONFIG_PM
++ .suspend = ata_pci_device_suspend,
++ .resume = ata_pci_device_resume,
++#endif
+ .remove = ata_pci_remove_one,
+ };
+
+@@ -116,6 +120,10 @@ static struct scsi_host_template svia_sh
+ .slave_configure = ata_scsi_slave_config,
+ .slave_destroy = ata_scsi_slave_destroy,
+ .bios_param = ata_std_bios_param,
++#ifdef CONFIG_PM
++ .suspend = ata_scsi_device_suspend,
++ .resume = ata_scsi_device_resume,
++#endif
+ };
+
+ static const struct ata_port_operations vt6420_sata_ops = {
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 01:33:28 2007
+Date: Wed, 09 May 2007 01:31:28 -0700 (PDT)
+Message-Id: <20070509.013128.27783020.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SCTP: Fix sctp_getsockopt_local_addrs_old() to use local storage.
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+sctp_getsockopt_local_addrs_old() in net/sctp/socket.c calls
+copy_to_user() while the spinlock addr_lock is held. this should not
+be done as copy_to_user() might sleep. the call to
+sctp_copy_laddrs_to_user() while holding the lock is also problematic
+as it calls copy_to_user()
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/sctp/socket.c | 96 +++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 60 insertions(+), 36 deletions(-)
+
+--- linux-2.6.21.1.orig/net/sctp/socket.c
++++ linux-2.6.21.1/net/sctp/socket.c
+@@ -3847,7 +3847,7 @@ static int sctp_getsockopt_peer_addrs(st
+ memcpy(&temp, &from->ipaddr, sizeof(temp));
+ sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp);
+ addrlen = sctp_get_af_specific(sk->sk_family)->sockaddr_len;
+- if(space_left < addrlen)
++ if (space_left < addrlen)
+ return -ENOMEM;
+ if (copy_to_user(to, &temp, addrlen))
+ return -EFAULT;
+@@ -3936,8 +3936,9 @@ done:
+ /* Helper function that copies local addresses to user and returns the number
+ * of addresses copied.
+ */
+-static int sctp_copy_laddrs_to_user_old(struct sock *sk, __u16 port, int max_addrs,
+- void __user *to)
++static int sctp_copy_laddrs_old(struct sock *sk, __u16 port,
++ int max_addrs, void *to,
++ int *bytes_copied)
+ {
+ struct list_head *pos, *next;
+ struct sctp_sockaddr_entry *addr;
+@@ -3954,10 +3955,10 @@ static int sctp_copy_laddrs_to_user_old(
+ sctp_get_pf_specific(sk->sk_family)->addr_v4map(sctp_sk(sk),
+ &temp);
+ addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
+- if (copy_to_user(to, &temp, addrlen))
+- return -EFAULT;
++ memcpy(to, &temp, addrlen);
+
+ to += addrlen;
++ *bytes_copied += addrlen;
+ cnt ++;
+ if (cnt >= max_addrs) break;
+ }
+@@ -3965,8 +3966,8 @@ static int sctp_copy_laddrs_to_user_old(
+ return cnt;
+ }
+
+-static int sctp_copy_laddrs_to_user(struct sock *sk, __u16 port,
+- void __user **to, size_t space_left)
++static int sctp_copy_laddrs(struct sock *sk, __u16 port, void *to,
++ size_t space_left, int *bytes_copied)
+ {
+ struct list_head *pos, *next;
+ struct sctp_sockaddr_entry *addr;
+@@ -3983,14 +3984,14 @@ static int sctp_copy_laddrs_to_user(stru
+ sctp_get_pf_specific(sk->sk_family)->addr_v4map(sctp_sk(sk),
+ &temp);
+ addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
+- if(space_left<addrlen)
++ if (space_left < addrlen)
+ return -ENOMEM;
+- if (copy_to_user(*to, &temp, addrlen))
+- return -EFAULT;
++ memcpy(to, &temp, addrlen);
+
+- *to += addrlen;
++ to += addrlen;
+ cnt ++;
+ space_left -= addrlen;
++ bytes_copied += addrlen;
+ }
+
+ return cnt;
+@@ -4014,6 +4015,8 @@ static int sctp_getsockopt_local_addrs_o
+ int addrlen;
+ rwlock_t *addr_lock;
+ int err = 0;
++ void *addrs;
++ int bytes_copied = 0;
+
+ if (len != sizeof(struct sctp_getaddrs_old))
+ return -EINVAL;
+@@ -4041,6 +4044,15 @@ static int sctp_getsockopt_local_addrs_o
+
+ to = getaddrs.addrs;
+
++ /* Allocate space for a local instance of packed array to hold all
++ * the data. We store addresses here first and then put write them
++ * to the user in one shot.
++ */
++ addrs = kmalloc(sizeof(union sctp_addr) * getaddrs.addr_num,
++ GFP_KERNEL);
++ if (!addrs)
++ return -ENOMEM;
++
+ sctp_read_lock(addr_lock);
+
+ /* If the endpoint is bound to 0.0.0.0 or ::0, get the valid
+@@ -4050,13 +4062,9 @@ static int sctp_getsockopt_local_addrs_o
+ addr = list_entry(bp->address_list.next,
+ struct sctp_sockaddr_entry, list);
+ if (sctp_is_any(&addr->a)) {
+- cnt = sctp_copy_laddrs_to_user_old(sk, bp->port,
+- getaddrs.addr_num,
+- to);
+- if (cnt < 0) {
+- err = cnt;
+- goto unlock;
+- }
++ cnt = sctp_copy_laddrs_old(sk, bp->port,
++ getaddrs.addr_num,
++ addrs, &bytes_copied);
+ goto copy_getaddrs;
+ }
+ }
+@@ -4066,22 +4074,29 @@ static int sctp_getsockopt_local_addrs_o
+ memcpy(&temp, &addr->a, sizeof(temp));
+ sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp);
+ addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
+- if (copy_to_user(to, &temp, addrlen)) {
+- err = -EFAULT;
+- goto unlock;
+- }
++ memcpy(addrs, &temp, addrlen);
+ to += addrlen;
++ bytes_copied += addrlen;
+ cnt ++;
+ if (cnt >= getaddrs.addr_num) break;
+ }
+
+ copy_getaddrs:
++ sctp_read_unlock(addr_lock);
++
++ /* copy the entire address list into the user provided space */
++ if (copy_to_user(to, addrs, bytes_copied)) {
++ err = -EFAULT;
++ goto error;
++ }
++
++ /* copy the leading structure back to user */
+ getaddrs.addr_num = cnt;
+ if (copy_to_user(optval, &getaddrs, sizeof(struct sctp_getaddrs_old)))
+ err = -EFAULT;
+
+-unlock:
+- sctp_read_unlock(addr_lock);
++error:
++ kfree(addrs);
+ return err;
+ }
+
+@@ -4101,7 +4116,8 @@ static int sctp_getsockopt_local_addrs(s
+ rwlock_t *addr_lock;
+ int err = 0;
+ size_t space_left;
+- int bytes_copied;
++ int bytes_copied = 0;
++ void *addrs;
+
+ if (len <= sizeof(struct sctp_getaddrs))
+ return -EINVAL;
+@@ -4129,6 +4145,9 @@ static int sctp_getsockopt_local_addrs(s
+ to = optval + offsetof(struct sctp_getaddrs,addrs);
+ space_left = len - sizeof(struct sctp_getaddrs) -
+ offsetof(struct sctp_getaddrs,addrs);
++ addrs = kmalloc(space_left, GFP_KERNEL);
++ if (!addrs)
++ return -ENOMEM;
+
+ sctp_read_lock(addr_lock);
+
+@@ -4139,11 +4158,11 @@ static int sctp_getsockopt_local_addrs(s
+ addr = list_entry(bp->address_list.next,
+ struct sctp_sockaddr_entry, list);
+ if (sctp_is_any(&addr->a)) {
+- cnt = sctp_copy_laddrs_to_user(sk, bp->port,
+- &to, space_left);
++ cnt = sctp_copy_laddrs(sk, bp->port, addrs,
++ space_left, &bytes_copied);
+ if (cnt < 0) {
+ err = cnt;
+- goto unlock;
++ goto error;
+ }
+ goto copy_getaddrs;
+ }
+@@ -4154,26 +4173,31 @@ static int sctp_getsockopt_local_addrs(s
+ memcpy(&temp, &addr->a, sizeof(temp));
+ sctp_get_pf_specific(sk->sk_family)->addr_v4map(sp, &temp);
+ addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
+- if(space_left < addrlen)
+- return -ENOMEM; /*fixme: right error?*/
+- if (copy_to_user(to, &temp, addrlen)) {
+- err = -EFAULT;
+- goto unlock;
++ if (space_left < addrlen) {
++ err = -ENOMEM; /*fixme: right error?*/
++ goto error;
+ }
++ memcpy(addrs, &temp, addrlen);
+ to += addrlen;
++ bytes_copied += addrlen;
+ cnt ++;
+ space_left -= addrlen;
+ }
+
+ copy_getaddrs:
++ sctp_read_unlock(addr_lock);
++
++ if (copy_to_user(to, addrs, bytes_copied)) {
++ err = -EFAULT;
++ goto error;
++ }
+ if (put_user(cnt, &((struct sctp_getaddrs __user *)optval)->addr_num))
+ return -EFAULT;
+- bytes_copied = ((char __user *)to) - optval;
+ if (put_user(bytes_copied, optlen))
+ return -EFAULT;
+
+-unlock:
+- sctp_read_unlock(addr_lock);
++error:
++ kfree(addrs);
+ return err;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:34:26 2007
+Date: Tue, 15 May 2007 01:32:35 -0700 (PDT)
+Message-Id: <20070515.013235.31256147.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SCTP: Prevent OOPS if hmac modules didn't load
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+SCTP was checking for NULL when trying to detect hmac
+allocation failure where it should have been using IS_ERR.
+Also, print a rate limited warning to the log telling the
+user what happend.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/sctp/socket.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/net/sctp/socket.c
++++ linux-2.6.21.1/net/sctp/socket.c
+@@ -4985,7 +4985,12 @@ int sctp_inet_listen(struct socket *sock
+ /* Allocate HMAC for generating cookie. */
+ if (sctp_hmac_alg) {
+ tfm = crypto_alloc_hash(sctp_hmac_alg, 0, CRYPTO_ALG_ASYNC);
+- if (!tfm) {
++ if (IS_ERR(tfm)) {
++ if (net_ratelimit()) {
++ printk(KERN_INFO
++ "SCTP: failed to load transform for %s: %ld\n",
++ sctp_hmac_alg, PTR_ERR(tfm));
++ }
+ err = -ENOSYS;
+ goto out;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:41:55 2007
+Date: Tue, 15 May 2007 01:40:09 -0700 (PDT)
+Message-Id: <20070515.014009.26532099.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SERIAL SUNHV: Add an ID string.
+
+From: "David S. Miller" <davem@sunset.davemloft.net>
+
+The 'compatible' property can be SUNW,sun4v-console as
+well as 'qcn'.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/serial/sunhv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/serial/sunhv.c
++++ linux-2.6.21.1/drivers/serial/sunhv.c
+@@ -493,6 +493,10 @@ static struct of_device_id hv_match[] =
+ .name = "console",
+ .compatible = "qcn",
+ },
++ {
++ .name = "console",
++ .compatible = "SUNW,sun4v-console",
++ },
+ {},
+ };
+ MODULE_DEVICE_TABLE(of, hv_match);
--- /dev/null
+ipv6-track-device-renames-in-snmp6.patch
+sis900-allocate-rx-replacement-buffer-before-rx-operation.patch
+smc911x-fix-compilation-breakage-wjen-debug-is-on.patch
+acpi-fix-2.6.21-boot-regression-on-p4-ht.patch
+cxacru-fix-infinite-loop-when-trying-to-cancel-polling-task.patch
+reiserfs-suppress-lockdep-warning.patch
+libata-sff-undo-bug-introduced-with-pci_iomap-changes.patch
+iop-fix-iop_getttimeoffset.patch
+iop13xx-fix-i-o-address-translation.patch
+kbuild-fixdep-segfault-on-pathological-string-o-death.patch
+ip-nf-_nat_proto_gre-do-not-modify-corrupt-grev0-packets-through-nat.patch
+sata_via-add-missing-pm-hooks.patch
+arm-fix-handling-of-svc-mode-undefined-instructions.patch
+oom-fix-constraint-deadlock.patch
+slob-fix-page-order-calculation-on-not-4kb-page.patch
+ppp-fix-ppp_deflate-issues-with-recent-zlib_inflate-changes.patch
+knfsd-avoid-use-of-unitialised-variables-on-error-path-when-nfs-exports.patch
+knfsd-rpc-fix-server-side-wrapping-of-krb5i-replies.patch
+skge-default-wol-should-be-magic-only.patch
+skge-allow-wol-except-for-known-broken-chips.patch
+tg3-fix-tso-bugs.patch
+tg3-remove-reset-during-mac-address-changes.patch
+tg3-update-version-and-reldate.patch
+bnx2-fix-tso-problem-with-small-mss.patch
+bnx2-block-mii-access-when-ifdown.patch
+bnx2-save-pci-state-during-suspend.patch
+bnx2-update-version-and-reldate.patch
+highres-dyntick-prevent-xtime-lock-contention.patch
+fat-fix-vfat-compat-ioctls-on-64-bit-systems.patch
+udf-decrement-correct-link-count-in-udf_rmdir.patch
+ipv6-fix-slab-corruption-running-ip6sic.patch
+netpoll-fix-tx-queue-overflow-in-trapped-mode.patch
+netpoll-remove-config_netpoll_rx.patch
+sctp-fix-sctp_getsockopt_local_addrs_old-to-use-local-storage.patch
+tcp-zero-out-rx_opt-in-tcp_disconnect.patch
+fix-leaky-resv_huge_pages-when-cpuset-is-in-use.patch
+clocksource-fix-resume-logic.patch
+md-avoid-a-possibility-that-a-read-error-can-wrongly-propagate-through-md-raid1-to-a-filesystem.patch
+driver-core-don-t-free-devt_attr-till-the-device-is-released.patch
+pci-quirks-disable-msi-on-rs400-200-and-rs480.patch
+fix-for-bugzilla-8426-massive-slowdown-on-scsi-cd-dvd-drive-connected-to-mptspi-driver.patch
+i386-hpet-check-if-the-counter-works.patch
+# still awaiting an ack
+#restore-semantics-of-routing-header-processing.patch
+alsa-hda-codec-fix-resume-of-stac92xx-codecs.patch
+ipmi-fix-si-address-space-settings.patch
+x86_64-fix-vgettimeofday.patch
+ipv6-send-icmpv6-error-on-scope-violations.patch
+ipv6-do-no-rely-on-skb-dst-before-it-is-assigned.patch
+ipv6-route-assign-rt6i_idev-for-ip6_-prohibit-blk_hole-_entry.patch
+ipv6-reverse-sense-of-promisc-tests-in-ip6_mc_input.patch
+net_sched-prio-qdisc-boundary-condition.patch
+sctp-prevent-oops-if-hmac-modules-didn-t-load.patch
+ipsec-check-validity-of-direction-in-xfrm_policy_byid.patch
+sparc64-add-missing-cpus_empty-check-in-hypervisor-xcall-handling.patch
+sparc64-fix-recursion-in-prom-tree-building.patch
+serial-sunhv-add-an-id-string.patch
+sparc64-bump-promintr_max-to-32.patch
+sparc64-be-more-resiliant-with-pci-i-o-space-regs.patch
+sky2-88e8056-allow.patch
+sky2-88e8071-support-not-ready.patch
+skge-shutdown.patch
+sky2-fix-oops-on-shutdown.patch
+usb-hid-hiddev-fix-race-between-hiddev_send_event-and-hiddev_release.patch
+jfs-fix-race-waking-up-jfsio-kernel-thread.patch
+netfilter-ip-nf-_conntrack-fix-use-after-free-in-helper-destroy-callback-invocation.patch
--- /dev/null
+From dc5a144991ba803bc8afded105c9db1dea0e57ab Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Thu, 26 Apr 2007 13:47:36 -0400
+Subject: sis900: Allocate rx replacement buffer before rx operation
+
+Just found a hole in my last patch. It was reported to me that shortly after we
+integrated this patch. The report was of an oops that took place inside of
+netif_rx when using the sis900 driver. Looking at my origional patch I noted
+that there was a spot between the new skb_alloc and the refill_rx_ring label
+where skb got reassigned to the pointer currently held in the rx_ring for the
+purposes of receiveing the frame. The result of this is however that the buffer
+that gets passed to netif_rx (if it is called), then gets placed right back into
+the rx_ring. So if you receive frames fast enough the skb being processed by
+the network stack can get corrupted. The reporter is testing out the fix I've
+written for this below (I'm not near my hardware at the moment to test myself),
+but I wanted to post it for review ASAP. I'll post test results when I hear
+them, but I think this is a pretty straightforward fix. It just uses a separate
+pointer to do the rx operation, so that we don't improperly reassign the pointer
+that we use to refill the rx ring.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/sis900.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/sis900.c
++++ linux-2.6.21.1/drivers/net/sis900.c
+@@ -1754,6 +1754,7 @@ static int sis900_rx(struct net_device *
+ sis_priv->rx_ring[entry].cmdsts = RX_BUF_SIZE;
+ } else {
+ struct sk_buff * skb;
++ struct sk_buff * rx_skb;
+
+ pci_unmap_single(sis_priv->pci_dev,
+ sis_priv->rx_ring[entry].bufptr, RX_BUF_SIZE,
+@@ -1787,10 +1788,10 @@ static int sis900_rx(struct net_device *
+ }
+
+ /* give the socket buffer to upper layers */
+- skb = sis_priv->rx_skbuff[entry];
+- skb_put(skb, rx_size);
+- skb->protocol = eth_type_trans(skb, net_dev);
+- netif_rx(skb);
++ rx_skb = sis_priv->rx_skbuff[entry];
++ skb_put(rx_skb, rx_size);
++ rx_skb->protocol = eth_type_trans(rx_skb, net_dev);
++ netif_rx(rx_skb);
+
+ /* some network statistics */
+ if ((rx_status & BCAST) == MCAST)
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 11:04:00 2007
+Date: Mon, 7 May 2007 11:01:55 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: Jeff Garzik <jgarzik@pobox.com>
+Message-ID: <20070507110155.2063c74d@freekitty>
+Cc: stable@kernel.org
+Subject: skge: allow WOL except for known broken chips
+
+Wake On Lan works correctly on Yukon-FE and other variants.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/skge.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/skge.c
++++ linux-2.6.21.1/drivers/net/skge.c
+@@ -135,10 +135,13 @@ static void skge_get_regs(struct net_dev
+ /* Wake on Lan only supported on Yukon chips with rev 1 or above */
+ static u32 wol_supported(const struct skge_hw *hw)
+ {
+- if (hw->chip_id == CHIP_ID_YUKON && hw->chip_rev != 0)
+- return WAKE_MAGIC | WAKE_PHY;
+- else
++ if (hw->chip_id == CHIP_ID_GENESIS)
+ return 0;
++
++ if (hw->chip_id == CHIP_ID_YUKON && hw->chip_rev == 0)
++ return 0;
++
++ return WAKE_MAGIC | WAKE_PHY;
+ }
+
+ static u32 pci_wake_enabled(struct pci_dev *dev)
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 8 13:38:21 2007
+Date: Tue, 8 May 2007 13:36:20 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: Jeff Garzik <jeff@garzik.org>
+Message-ID: <20070508133620.0a7c6d12@localhost>
+Cc: stable@kernel.org
+Subject: skge: default WOL should be magic only (rev2)
+
+By default, the skge driver now enables wake on magic and wake on PHY.
+This is a bad default (bug), wake on PHY means machine will never shutdown
+if connected to a switch.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>a
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/skge.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/drivers/net/skge.c
++++ linux-2.6.21.1/drivers/net/skge.c
+@@ -3583,7 +3583,9 @@ static struct net_device *skge_devinit(s
+ skge->duplex = -1;
+ skge->speed = -1;
+ skge->advertising = skge_supported_modes(hw);
+- skge->wol = pci_wake_enabled(hw->pdev) ? wol_supported(hw) : 0;
++
++ if (pci_wake_enabled(hw->pdev))
++ skge->wol = wol_supported(hw) & WAKE_MAGIC;
+
+ hw->dev[port] = dev;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 15:20:30 2007
+Message-Id: <20070515220903.789054831@linux-foundation.org>
+Date: Tue, 15 May 2007 15:08:26 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org
+Subject: skge: crash on shutdown/suspend
+
+If device fails during module startup for some reason (like unsupported chip
+version) then driver would crash dereferencing a null pointer, on shutdown
+or suspend/resume.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/skge.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/net/skge.c
++++ linux-2.6.21.1/drivers/net/skge.c
+@@ -3794,6 +3794,9 @@ static int skge_suspend(struct pci_dev *
+ struct skge_hw *hw = pci_get_drvdata(pdev);
+ int i, err, wol = 0;
+
++ if (!hw)
++ return 0;
++
+ err = pci_save_state(pdev);
+ if (err)
+ return err;
+@@ -3822,6 +3825,9 @@ static int skge_resume(struct pci_dev *p
+ struct skge_hw *hw = pci_get_drvdata(pdev);
+ int i, err;
+
++ if (!hw)
++ return 0;
++
+ err = pci_set_power_state(pdev, PCI_D0);
+ if (err)
+ goto out;
+@@ -3860,6 +3866,9 @@ static void skge_shutdown(struct pci_dev
+ struct skge_hw *hw = pci_get_drvdata(pdev);
+ int i, wol = 0;
+
++ if (!hw)
++ return;
++
+ for (i = 0; i < hw->ports; i++) {
+ struct net_device *dev = hw->dev[i];
+ struct skge_port *skge = netdev_priv(dev);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 15:20:13 2007
+Message-Id: <20070515220903.648019094@linux-foundation.org>
+Date: Tue, 15 May 2007 15:08:24 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org
+Subject: sky2: allow 88E8056
+
+It looks like the problems of Gigabyte 88E8056 are unique to that chip
+motherboard and maybe fixable by EEPROM update.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/sky2.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/sky2.c
++++ linux-2.6.21.1/drivers/net/sky2.c
+@@ -123,10 +123,7 @@ static const struct pci_device_id sky2_i
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4361) }, /* 88E8050 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4362) }, /* 88E8053 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4363) }, /* 88E8055 */
+-#ifdef broken
+- /* This device causes data corruption problems that are not resolved */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4364) }, /* 88E8056 */
+-#endif
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4366) }, /* 88EC036 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4367) }, /* 88EC032 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4368) }, /* 88EC034 */
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 15:20:04 2007
+Message-Id: <20070515220903.737015029@linux-foundation.org>
+Date: Tue, 15 May 2007 15:08:25 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org
+Subject: sky2: 88e8071 support not ready
+
+The driver is not ready to support 88e8071 chip, it requires several
+more changes (not done yet). If this chip is present, system will hang on boot.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+
+---
+ drivers/net/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/drivers/net/sky2.c
++++ linux-2.6.21.1/drivers/net/sky2.c
+@@ -129,7 +129,7 @@ static const struct pci_device_id sky2_i
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4368) }, /* 88EC034 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4369) }, /* 88EC042 */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436A) }, /* 88E8058 */
+- { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436B) }, /* 88E8071 */
++// { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436B) }, /* 88E8071 */
+ { 0 }
+ };
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 15:20:24 2007
+Message-Id: <20070515220903.877649648@linux-foundation.org>
+Date: Tue, 15 May 2007 15:08:27 -0700
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org
+Subject: sky2: fix oops on shutdown
+
+If the device fails during module startup for some reason like unsupported chip
+version then the driver would crash dereferencing a null pointer, on shutdown
+or suspend/resume.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/net/sky2.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/net/sky2.c
++++ linux-2.6.21.1/drivers/net/sky2.c
+@@ -3719,6 +3719,7 @@ err_out_free_regions:
+ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ err_out:
++ pci_set_drvdata(pdev, NULL);
+ return err;
+ }
+
+@@ -3771,6 +3772,9 @@ static int sky2_suspend(struct pci_dev *
+ struct sky2_hw *hw = pci_get_drvdata(pdev);
+ int i, wol = 0;
+
++ if (!hw)
++ return 0;
++
+ del_timer_sync(&hw->idle_timer);
+ netif_poll_disable(hw->dev[0]);
+
+@@ -3802,6 +3806,9 @@ static int sky2_resume(struct pci_dev *p
+ struct sky2_hw *hw = pci_get_drvdata(pdev);
+ int i, err;
+
++ if (!hw)
++ return 0;
++
+ err = pci_set_power_state(pdev, PCI_D0);
+ if (err)
+ goto out;
+@@ -3848,6 +3855,9 @@ static void sky2_shutdown(struct pci_dev
+ struct sky2_hw *hw = pci_get_drvdata(pdev);
+ int i, wol = 0;
+
++ if (!hw)
++ return;
++
+ del_timer_sync(&hw->idle_timer);
+ netif_poll_disable(hw->dev[0]);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sun May 6 14:52:46 2007
+Message-Id: <200705062150.l46LoJ7S024625@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Sun, 06 May 2007 14:50:19 -0700
+Cc: stable@kernel.org, akpm@linux-foundation.org, akinobu.mita@gmail.com, mpm@selenic.com
+Subject: slob: fix page order calculation on not 4KB page
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+SLOB doesn't calculate correct page order when page size is not 4KB. This
+patch fixes it with using get_order() instead of find_order() which is SLOB
+version of get_order().
+
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ mm/slob.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+--- linux-2.6.21.1.orig/mm/slob.c
++++ linux-2.6.21.1/mm/slob.c
+@@ -150,15 +150,6 @@ static void slob_free(void *block, int s
+ spin_unlock_irqrestore(&slob_lock, flags);
+ }
+
+-static int FASTCALL(find_order(int size));
+-static int fastcall find_order(int size)
+-{
+- int order = 0;
+- for ( ; size > 4096 ; size >>=1)
+- order++;
+- return order;
+-}
+-
+ void *__kmalloc(size_t size, gfp_t gfp)
+ {
+ slob_t *m;
+@@ -174,7 +165,7 @@ void *__kmalloc(size_t size, gfp_t gfp)
+ if (!bb)
+ return 0;
+
+- bb->order = find_order(size);
++ bb->order = get_order(size);
+ bb->pages = (void *)__get_free_pages(gfp, bb->order);
+
+ if (bb->pages) {
+@@ -284,7 +275,7 @@ void *kmem_cache_alloc(struct kmem_cache
+ if (c->size < PAGE_SIZE)
+ b = slob_alloc(c->size, flags, c->align);
+ else
+- b = (void *)__get_free_pages(flags, find_order(c->size));
++ b = (void *)__get_free_pages(flags, get_order(c->size));
+
+ if (c->ctor)
+ c->ctor(b, c, SLAB_CTOR_CONSTRUCTOR);
+@@ -311,7 +302,7 @@ void kmem_cache_free(struct kmem_cache *
+ if (c->size < PAGE_SIZE)
+ slob_free(b, c->size);
+ else
+- free_pages((unsigned long)b, find_order(c->size));
++ free_pages((unsigned long)b, get_order(c->size));
+ }
+ EXPORT_SYMBOL(kmem_cache_free);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Apr 28 08:34:17 2007
+Message-ID: <46336900.5060007@pobox.com>
+Date: Sat, 28 Apr 2007 11:32:16 -0400
+From: Jeff Garzik <jgarzik@pobox.com>
+To: stable@kernel.org
+Cc: vwool@ru.mvista.com, dustin@sensoria.com
+Subject: smc911x: fix compilation breakage wjen debug is on
+
+From: Vitaly Wool <vwool@ru.mvista.com>
+
+the patch below fixes compilation breakage of smc911x driver when ENABLE_SMC_DEBUG_PKTS equals to 1.
+
+Signed-off-by: Vitaly Wool <vitalywool@gmail.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/net/smc911x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+
+--- linux-2.6.21.1.orig/drivers/net/smc911x.c
++++ linux-2.6.21.1/drivers/net/smc911x.c
+@@ -499,7 +499,7 @@ static inline void smc911x_rcv(struct n
+ SMC_SET_RX_CFG(RX_CFG_RX_END_ALGN4_ | ((2<<8) & RX_CFG_RXDOFF_));
+ SMC_PULL_DATA(data, pkt_len+2+3);
+
+- DBG(SMC_DEBUG_PKTS, "%s: Received packet\n", dev->name,);
++ DBG(SMC_DEBUG_PKTS, "%s: Received packet\n", dev->name);
+ PRINT_PKT(data, ((pkt_len - 4) <= 64) ? pkt_len - 4 : 64);
+ dev->last_rx = jiffies;
+ skb->dev = dev;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:39:44 2007
+Date: Tue, 15 May 2007 01:37:56 -0700 (PDT)
+Message-Id: <20070515.013756.106434867.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SPARC64: Add missing cpus_empty() check in hypervisor xcall handling.
+
+From: "David S. Miller" <davem@sunset.davemloft.net>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ arch/sparc64/kernel/smp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.21.1.orig/arch/sparc64/kernel/smp.c
++++ linux-2.6.21.1/arch/sparc64/kernel/smp.c
+@@ -566,6 +566,9 @@ static void hypervisor_xcall_deliver(u64
+ unsigned long flags, status;
+ int cnt, retries, this_cpu, prev_sent, i;
+
++ if (cpus_empty(mask))
++ return;
++
+ /* We have to do this whole thing with interrupts fully disabled.
+ * Otherwise if we send an xcall from interrupt context it will
+ * corrupt both our mondo block and cpu list state.
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:48:08 2007
+Date: Tue, 15 May 2007 01:46:19 -0700 (PDT)
+Message-Id: <20070515.014619.26966351.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SPARC64: Be more resiliant with PCI I/O space regs.
+
+From: "David S. Miller" <davem@sunset.davemloft.net>
+
+If we miss on the ranges, just toss the translation up to the parent
+instead of failing.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ arch/sparc64/kernel/of_device.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- linux-2.6.21.1.orig/arch/sparc64/kernel/of_device.c
++++ linux-2.6.21.1/arch/sparc64/kernel/of_device.c
+@@ -508,6 +508,13 @@ static int __init build_one_resource(str
+ return 0;
+ }
+
++ /* When we miss an I/O space match on PCI, just pass it up
++ * to the next PCI bridge and/or controller.
++ */
++ if (!strcmp(bus->name, "pci") &&
++ (addr[0] & 0x03000000) == 0x01000000)
++ return 0;
++
+ return 1;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:44:27 2007
+Date: Tue, 15 May 2007 01:42:34 -0700 (PDT)
+Message-Id: <20070515.014234.35355035.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SPARC64: Bump PROMINTR_MAX to 32.
+
+From: "David S. Miller" <davem@sunset.davemloft.net>
+
+Some devices have more than 15 which was the previous
+setting.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ include/asm-sparc64/openprom.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/include/asm-sparc64/openprom.h
++++ linux-2.6.21.1/include/asm-sparc64/openprom.h
+@@ -177,7 +177,7 @@ struct linux_nodeops {
+ /* More fun PROM structures for device probing. */
+ #define PROMREG_MAX 24
+ #define PROMVADDR_MAX 16
+-#define PROMINTR_MAX 15
++#define PROMINTR_MAX 32
+
+ struct linux_prom_registers {
+ unsigned which_io; /* hi part of physical address */
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 01:40:55 2007
+Date: Tue, 15 May 2007 01:39:05 -0700 (PDT)
+Message-Id: <20070515.013905.77057238.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: SPARC64: Fix recursion in PROM tree building.
+
+From: "David S. Miller" <davem@sunset.davemloft.net>
+
+Use iteration for scanning of PROM node siblings.
+
+Based upon a patch by Greg Onufer, who found this bug.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ arch/sparc64/kernel/prom.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- linux-2.6.21.1.orig/arch/sparc64/kernel/prom.c
++++ linux-2.6.21.1/arch/sparc64/kernel/prom.c
+@@ -1555,10 +1555,21 @@ static struct device_node * __init creat
+
+ static struct device_node * __init build_tree(struct device_node *parent, phandle node, struct device_node ***nextp)
+ {
++ struct device_node *ret = NULL, *prev_sibling = NULL;
+ struct device_node *dp;
+
+- dp = create_node(node, parent);
+- if (dp) {
++ while (1) {
++ dp = create_node(node, parent);
++ if (!dp)
++ break;
++
++ if (prev_sibling)
++ prev_sibling->sibling = dp;
++
++ if (!ret)
++ ret = dp;
++ prev_sibling = dp;
++
+ *(*nextp) = dp;
+ *nextp = &dp->allnext;
+
+@@ -1567,10 +1578,10 @@ static struct device_node * __init build
+
+ dp->child = build_tree(dp, prom_getchild(node), nextp);
+
+- dp->sibling = build_tree(parent, prom_getsibling(node), nextp);
++ node = prom_getsibling(node);
+ }
+
+- return dp;
++ return ret;
+ }
+
+ void __init prom_build_devicetree(void)
--- /dev/null
+From stable-bounces@linux.kernel.org Wed May 9 01:35:55 2007
+Date: Wed, 09 May 2007 01:33:58 -0700 (PDT)
+Message-Id: <20070509.013358.77058720.davem@davemloft.net>
+To: stable@kernel.org
+From: David Miller <davem@davemloft.net>
+Cc: bunk@stusta.de
+Subject: TCP: zero out rx_opt in tcp_disconnect()
+
+From: Srinivas Aji <Aji_Srinivas@emc.com>
+
+When the server drops its connection, NFS client reconnects using the
+same socket after disconnecting. If the new connection's SYN,ACK
+doesn't contain the TCP timestamp option and the old connection's did,
+tp->tcp_header_len is recomputed assuming no timestamp header but
+tp->rx_opt.tstamp_ok remains set. Then tcp_build_and_update_options()
+adds in a timestamp option past the end of the allocated TCP header,
+overwriting TCP data, or when the data is in skb_shinfo(skb)->frags[],
+overwriting skb_shinfo(skb) causing a crash soon after. (The issue was
+debugged from such a crash.)
+
+Similarly, wscale_ok and sack_ok also get set based on the SYN,ACK
+packet but not reset on disconnect, since they are zeroed out at
+initialization. The patch zeroes out the entire tp->rx_opt struct in
+tcp_disconnect() to avoid this sort of problem.
+
+Signed-off-by: Srinivas Aji <Aji_Srinivas@emc.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv4/tcp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/net/ipv4/tcp.c
++++ linux-2.6.21.1/net/ipv4/tcp.c
+@@ -1759,8 +1759,7 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_clear_retrans(tp);
+ inet_csk_delack_init(sk);
+ sk->sk_send_head = NULL;
+- tp->rx_opt.saw_tstamp = 0;
+- tcp_sack_reset(&tp->rx_opt);
++ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ __sk_dst_reset(sk);
+
+ BUG_TRAP(!inet->num || icsk->icsk_bind_hash);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:19:19 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:03:37 -0700
+Message-ID: <1178589817.10892.10.camel@dell>
+Subject: TG3: Fix TSO bugs.
+
+1. Remove the check for skb->len greater than MTU when doing TSO.
+When the destination has a smaller MSS than the source, a TSO packet
+may be smaller than the MTU and we still need to process it as a TSO
+packet.
+
+2. On 5705A3 devices with TSO enabled, the DMA engine can hang due to a
+hardware bug. This patch avoids the hanging condition by reducing the
+DMA burst size.
+
+Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ drivers/net/tg3.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/tg3.c
++++ linux-2.6.21.1/drivers/net/tg3.c
+@@ -3895,8 +3895,7 @@ static int tg3_start_xmit(struct sk_buff
+ entry = tp->tx_prod;
+ base_flags = 0;
+ mss = 0;
+- if (skb->len > (tp->dev->mtu + ETH_HLEN) &&
+- (mss = skb_shinfo(skb)->gso_size) != 0) {
++ if ((mss = skb_shinfo(skb)->gso_size) != 0) {
+ int tcp_opt_len, ip_tcp_len;
+
+ if (skb_header_cloned(skb) &&
+@@ -4053,8 +4052,7 @@ static int tg3_start_xmit_dma_bug(struct
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ base_flags |= TXD_FLAG_TCPUDP_CSUM;
+ mss = 0;
+- if (skb->len > (tp->dev->mtu + ETH_HLEN) &&
+- (mss = skb_shinfo(skb)->gso_size) != 0) {
++ if ((mss = skb_shinfo(skb)->gso_size) != 0) {
+ int tcp_opt_len, ip_tcp_len, hdr_len;
+
+ if (skb_header_cloned(skb) &&
+@@ -6348,8 +6346,7 @@ static int tg3_reset_hw(struct tg3 *tp,
+ tp->pci_chip_rev_id != CHIPREV_ID_5705_A0) ||
+ (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5750)) {
+ if (tp->tg3_flags2 & TG3_FLG2_TSO_CAPABLE &&
+- (tp->pci_chip_rev_id == CHIPREV_ID_5705_A1 ||
+- tp->pci_chip_rev_id == CHIPREV_ID_5705_A2)) {
++ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5705) {
+ rdmac_mode |= RDMAC_MODE_FIFO_SIZE_128;
+ } else if (!(tr32(TG3PCI_PCISTATE) & PCISTATE_BUS_SPEED_HIGH) &&
+ !(tp->tg3_flags2 & TG3_FLG2_IS_5788)) {
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:21:11 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:03:53 -0700
+Message-ID: <1178589833.10892.11.camel@dell>
+Subject: TG3: Remove reset during MAC address changes.
+
+The reset was added a while back so that ASF could re-init whatever
+MAC address it wanted to use after the MAC address was changed.
+Instead of resetting, we can just keep MAC address 1 unchanged during
+MAC address changes if MAC address 1 is different from MAC address 0.
+
+This fixes 2 problems:
+
+1. Bonding calls set_mac_address in contexts that cannot sleep.
+It no longer sleeps with the chip reset removed.
+
+2. When ASF shares the same MAC address as the NIC, it needs to
+always do that even when the MAC address is changed.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+---
+ drivers/net/tg3.c | 35 ++++++++++++++++++-----------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/tg3.c
++++ linux-2.6.21.1/drivers/net/tg3.c
+@@ -5934,7 +5934,7 @@ static int tg3_load_tso_firmware(struct
+
+
+ /* tp->lock is held. */
+-static void __tg3_set_mac_addr(struct tg3 *tp)
++static void __tg3_set_mac_addr(struct tg3 *tp, int skip_mac_1)
+ {
+ u32 addr_high, addr_low;
+ int i;
+@@ -5946,6 +5946,8 @@ static void __tg3_set_mac_addr(struct tg
+ (tp->dev->dev_addr[4] << 8) |
+ (tp->dev->dev_addr[5] << 0));
+ for (i = 0; i < 4; i++) {
++ if (i == 1 && skip_mac_1)
++ continue;
+ tw32(MAC_ADDR_0_HIGH + (i * 8), addr_high);
+ tw32(MAC_ADDR_0_LOW + (i * 8), addr_low);
+ }
+@@ -5972,7 +5974,7 @@ static int tg3_set_mac_addr(struct net_d
+ {
+ struct tg3 *tp = netdev_priv(dev);
+ struct sockaddr *addr = p;
+- int err = 0;
++ int err = 0, skip_mac_1 = 0;
+
+ if (!is_valid_ether_addr(addr->sa_data))
+ return -EINVAL;
+@@ -5983,22 +5985,21 @@ static int tg3_set_mac_addr(struct net_d
+ return 0;
+
+ if (tp->tg3_flags & TG3_FLAG_ENABLE_ASF) {
+- /* Reset chip so that ASF can re-init any MAC addresses it
+- * needs.
+- */
+- tg3_netif_stop(tp);
+- tg3_full_lock(tp, 1);
++ u32 addr0_high, addr0_low, addr1_high, addr1_low;
+
+- tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
+- err = tg3_restart_hw(tp, 0);
+- if (!err)
+- tg3_netif_start(tp);
+- tg3_full_unlock(tp);
+- } else {
+- spin_lock_bh(&tp->lock);
+- __tg3_set_mac_addr(tp);
+- spin_unlock_bh(&tp->lock);
++ addr0_high = tr32(MAC_ADDR_0_HIGH);
++ addr0_low = tr32(MAC_ADDR_0_LOW);
++ addr1_high = tr32(MAC_ADDR_1_HIGH);
++ addr1_low = tr32(MAC_ADDR_1_LOW);
++
++ /* Skip MAC addr 1 if ASF is using it. */
++ if ((addr0_high != addr1_high || addr0_low != addr1_low) &&
++ !(addr1_high == 0 && addr1_low == 0))
++ skip_mac_1 = 1;
+ }
++ spin_lock_bh(&tp->lock);
++ __tg3_set_mac_addr(tp, skip_mac_1);
++ spin_unlock_bh(&tp->lock);
+
+ return err;
+ }
+@@ -6315,7 +6316,7 @@ static int tg3_reset_hw(struct tg3 *tp,
+ tp->rx_jumbo_ptr);
+
+ /* Initialize MAC address and backoff seed. */
+- __tg3_set_mac_addr(tp);
++ __tg3_set_mac_addr(tp, 0);
+
+ /* MTU + ethernet header + FCS + optional VLAN tag */
+ tw32(MAC_RX_MTU_SIZE, tp->dev->mtu + ETH_HLEN + 8);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon May 7 18:21:02 2007
+From: "Michael Chan" <mchan@broadcom.com>
+To: stable@kernel.org
+Date: Mon, 07 May 2007 19:04:04 -0700
+Message-ID: <1178589844.10892.12.camel@dell>
+Subject: TG3: Update version and reldate.
+
+Update version to 3.75.1.
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ drivers/net/tg3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.21.1.orig/drivers/net/tg3.c
++++ linux-2.6.21.1/drivers/net/tg3.c
+@@ -64,8 +64,8 @@
+
+ #define DRV_MODULE_NAME "tg3"
+ #define PFX DRV_MODULE_NAME ": "
+-#define DRV_MODULE_VERSION "3.75"
+-#define DRV_MODULE_RELDATE "March 23, 2007"
++#define DRV_MODULE_VERSION "3.75.1"
++#define DRV_MODULE_RELDATE "May 7, 2007"
+
+ #define TG3_DEF_MAC_MODE 0
+ #define TG3_DEF_RX_MODE 0
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 8 00:33:59 2007
+Message-Id: <200705080731.l487VVSL017268@shell0.pdx.osdl.net>
+To: torvalds@linux-foundation.org
+From: akpm@linux-foundation.org
+Date: Tue, 08 May 2007 00:31:31 -0700
+Cc: jack@ucw.cz, akpm@linux-foundation.org, haveblue@us.ibm.com, stable@kernel.org, molletts@yahoo.com
+Subject: udf: decrement correct link count in udf_rmdir
+
+From: Stephen Mollett <molletts@yahoo.com>
+
+It appears that a minor thinko occurred in udf_rmdir and the
+(already-cleared) link count on the directory that is being removed was
+being decremented instead of the link count on its parent directory. This
+gives rise to lots of kernel messages similar to:
+
+UDF-fs warning (device loop1): udf_rmdir: empty directory has nlink != 2 (8)
+
+when removing directory trees. No other ill effects have been observed but
+I guess it could theoretically result in the link count overflowing on a
+very long-lived, much modified directory.
+
+Signed-off-by: Stephen Mollett <molletts@yahoo.com>
+Cc: Dave Hansen <haveblue@us.ibm.com>
+Cc: Jan Kara <jack@ucw.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/udf/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/fs/udf/namei.c
++++ linux-2.6.21.1/fs/udf/namei.c
+@@ -878,7 +878,7 @@ static int udf_rmdir(struct inode * dir,
+ inode->i_nlink);
+ clear_nlink(inode);
+ inode->i_size = 0;
+- inode_dec_link_count(inode);
++ inode_dec_link_count(dir);
+ inode->i_ctime = dir->i_ctime = dir->i_mtime = current_fs_time(dir->i_sb);
+ mark_inode_dirty(dir);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 15:44:33 2007
+Date: Wed, 16 May 2007 00:44:59 +0200 (CEST)
+From: Jiri Kosina <jkosina@suse.cz>
+To: stable@kernel.org
+Message-ID: <Pine.LNX.4.64.0705160041230.11493@jikos.suse.cz>
+Subject: USB HID: hiddev - fix race between hiddev_send_event() and hiddev_release()
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+USB HID: hiddev - fix race between hiddev_send_event() and hiddev_release()
+
+There is a small race window in which hiddev_release() could corrupt the
+list that is being processed for new event in hiddev_send_event().
+Synchronize the operations over this list.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+(in Linus' tree as cdcb44e87bedcf5070eece61f89f9373a3810031)
+
+---
+ drivers/usb/input/hiddev.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- linux-2.6.21.1.orig/drivers/usb/input/hiddev.c
++++ linux-2.6.21.1/drivers/usb/input/hiddev.c
+@@ -51,6 +51,7 @@ struct hiddev {
+ wait_queue_head_t wait;
+ struct hid_device *hid;
+ struct list_head list;
++ spinlock_t list_lock;
+ };
+
+ struct hiddev_list {
+@@ -161,7 +162,9 @@ static void hiddev_send_event(struct hid
+ {
+ struct hiddev *hiddev = hid->hiddev;
+ struct hiddev_list *list;
++ unsigned long flags;
+
++ spin_lock_irqsave(&hiddev->list_lock, flags);
+ list_for_each_entry(list, &hiddev->list, node) {
+ if (uref->field_index != HID_FIELD_INDEX_NONE ||
+ (list->flags & HIDDEV_FLAG_REPORT) != 0) {
+@@ -171,6 +174,7 @@ static void hiddev_send_event(struct hid
+ kill_fasync(&list->fasync, SIGIO, POLL_IN);
+ }
+ }
++ spin_unlock_irqrestore(&hiddev->list_lock, flags);
+
+ wake_up_interruptible(&hiddev->wait);
+ }
+@@ -235,9 +239,13 @@ static int hiddev_fasync(int fd, struct
+ static int hiddev_release(struct inode * inode, struct file * file)
+ {
+ struct hiddev_list *list = file->private_data;
++ unsigned long flags;
+
+ hiddev_fasync(-1, file, 0);
++
++ spin_lock_irqsave(&list->hiddev->list_lock, flags);
+ list_del(&list->node);
++ spin_unlock_irqrestore(&list->hiddev->list_lock, flags);
+
+ if (!--list->hiddev->open) {
+ if (list->hiddev->exist)
+@@ -257,6 +265,7 @@ static int hiddev_release(struct inode *
+ static int hiddev_open(struct inode *inode, struct file *file)
+ {
+ struct hiddev_list *list;
++ unsigned long flags;
+
+ int i = iminor(inode) - HIDDEV_MINOR_BASE;
+
+@@ -267,7 +276,11 @@ static int hiddev_open(struct inode *ino
+ return -ENOMEM;
+
+ list->hiddev = hiddev_table[i];
++
++ spin_lock_irqsave(&list->hiddev->list_lock, flags);
+ list_add_tail(&list->node, &hiddev_table[i]->list);
++ spin_unlock_irqrestore(&list->hiddev->list_lock, flags);
++
+ file->private_data = list;
+
+ if (!list->hiddev->open++)
+@@ -773,6 +786,7 @@ int hiddev_connect(struct hid_device *hi
+
+ init_waitqueue_head(&hiddev->wait);
+ INIT_LIST_HEAD(&hiddev->list);
++ spin_lock_init(&hiddev->list_lock);
+ hiddev->hid = hid;
+ hiddev->exist = 1;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue May 15 02:10:08 2007
+Date: Tue, 15 May 2007 10:17:58 +0200
+From: Eric Dumazet <dada1@cosmosbay.com>
+To: Andi Kleen <ak@suse.de>
+Message-Id: <20070515101758.51d6bc47.dada1@cosmosbay.com>
+Cc: dang@gentoo.org, john stultz <johnstul@us.ibm.com>, stable@kernel.org, Andrew Morton <akpm@linux-foundation.org>, Thomas Gleixner <tglx@linutronix.de>
+Subject: [PATCH] x86_64 : Fix vgettimeofday()
+
+vgettimeofday() may return some bad timeval values, (tv_usec = 1000000), because of a wrong compare.
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/x86_64/kernel/vsyscall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.21.1.orig/arch/x86_64/kernel/vsyscall.c
++++ linux-2.6.21.1/arch/x86_64/kernel/vsyscall.c
+@@ -132,7 +132,7 @@ static __always_inline void do_vgettimeo
+
+ /* convert to usecs and add to timespec: */
+ tv->tv_usec += nsec_delta / NSEC_PER_USEC;
+- while (tv->tv_usec > USEC_PER_SEC) {
++ while (tv->tv_usec >= USEC_PER_SEC) {
+ tv->tv_sec += 1;
+ tv->tv_usec -= USEC_PER_SEC;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
