--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 12:54:30 2007
+From: Badari Pulavarty <pbadari@gmail.com>
+Date: Tue, 17 Apr 2007 15:53:09 -0400
+Subject: cache_k8_northbridges() overflows beyond allocation
+To: linux-stable <stable@kernel.org>
+Cc: Andi Kleen <andi@firstfloor.org>
+Message-ID: <462525A5.9080706@redhat.com>
+
+
+From: Badari Pulavarty <pbadari@gmail.com>
+
+cache_k8_northbridges() overflows beyond allocation
+
+cache_k8_northbridges() is storing config values to incorrect locations
+(in flush_words) and also its overflowing beyond the allocation, causing
+slab verification failures.
+
+Signed-off-by: Badari Pulavarty <pbadari@us.ibm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/kernel/k8.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86_64/kernel/k8.c
++++ b/arch/x86_64/kernel/k8.c
+@@ -61,8 +61,8 @@ int cache_k8_northbridges(void)
+ dev = NULL;
+ i = 0;
+ while ((dev = next_k8_northbridge(dev)) != NULL) {
+- k8_northbridges[i++] = dev;
+- pci_read_config_dword(dev, 0x9c, &flush_words[i]);
++ k8_northbridges[i] = dev;
++ pci_read_config_dword(dev, 0x9c, &flush_words[i++]);
+ }
+ k8_northbridges[i] = NULL;
+ return 0;
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Tue Apr 17 16:59:13 2007
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Date: Tue, 17 Apr 2007 23:59:01 GMT
+Subject: exec.c: fix coredump to pipe problem and obscure "security hole"
+To: git-commits-head@vger.kernel.org
+Message-ID: <200704172359.l3HNx1x0024174@hera.kernel.org>
+
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+
+exec.c: fix coredump to pipe problem and obscure "security hole"
+
+The patch checks for "|" in the pattern not the output and doesn't nail a
+pid on to a piped name (as it is a program name not a file)
+
+Also fixes a very very obscure security corner case. If you happen to have
+decided on a core pattern that starts with the program name then the user
+can run a program called "|myevilhack" as it stands. I doubt anyone does
+this.
+
+Signed-off-by: Alan Cox <alan@redhat.com>
+Confirmed-by: Christopher S. Aker <caker@theshore.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1246,13 +1246,17 @@ EXPORT_SYMBOL(set_binfmt);
+ * name into corename, which must have space for at least
+ * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
+ */
+-static void format_corename(char *corename, const char *pattern, long signr)
++static int format_corename(char *corename, const char *pattern, long signr)
+ {
+ const char *pat_ptr = pattern;
+ char *out_ptr = corename;
+ char *const out_end = corename + CORENAME_MAX_SIZE;
+ int rc;
+ int pid_in_pattern = 0;
++ int ispipe = 0;
++
++ if (*pattern == '|')
++ ispipe = 1;
+
+ /* Repeat as long as we have more pattern to process and more output
+ space */
+@@ -1343,8 +1347,8 @@ static void format_corename(char *corena
+ *
+ * If core_pattern does not include a %p (as is the default)
+ * and core_uses_pid is set, then .%pid will be appended to
+- * the filename */
+- if (!pid_in_pattern
++ * the filename. Do not do this for piped commands. */
++ if (!ispipe && !pid_in_pattern
+ && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) {
+ rc = snprintf(out_ptr, out_end - out_ptr,
+ ".%d", current->tgid);
+@@ -1352,8 +1356,9 @@ static void format_corename(char *corena
+ goto out;
+ out_ptr += rc;
+ }
+- out:
++out:
+ *out_ptr = 0;
++ return ispipe;
+ }
+
+ static void zap_process(struct task_struct *start)
+@@ -1504,16 +1509,15 @@ int do_coredump(long signr, int exit_cod
+ * uses lock_kernel()
+ */
+ lock_kernel();
+- format_corename(corename, core_pattern, signr);
++ ispipe = format_corename(corename, core_pattern, signr);
+ unlock_kernel();
+- if (corename[0] == '|') {
++ if (ispipe) {
+ /* SIGPIPE can happen, but it's just never processed */
+ if(call_usermodehelper_pipe(corename+1, NULL, NULL, &file)) {
+ printk(KERN_INFO "Core dump to %s pipe failed\n",
+ corename);
+ goto fail_unlock;
+ }
+- ispipe = 1;
+ } else
+ file = filp_open(corename,
+ O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 14:43:30 2007
+From: Tom "spot" Callaway <tcallawa@redhat.com>
+Date: Tue, 17 Apr 2007 14:42:12 -0700 (PDT)
+Subject: Fix bogus inline directive in sparc64 PCI code
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070417.144212.115909291.davem@davemloft.net>
+
+From: Tom "spot" Callaway <tcallawa@redhat.com>
+
+[SPARC64]: Fix inline directive in pci_iommu.c
+
+While building a test kernel for the new esp driver (against
+git-current), I hit this bug. Trivial fix, put the inline declaration
+in the right place. :)
+
+Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/pci_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc64/kernel/pci_iommu.c
++++ b/arch/sparc64/kernel/pci_iommu.c
+@@ -64,7 +64,7 @@ static void __iommu_flushall(struct pci_
+ #define IOPTE_IS_DUMMY(iommu, iopte) \
+ ((iopte_val(*iopte) & IOPTE_PAGE) == (iommu)->dummy_page_pa)
+
+-static void inline iopte_make_dummy(struct pci_iommu *iommu, iopte_t *iopte)
++static inline void iopte_make_dummy(struct pci_iommu *iommu, iopte_t *iopte)
+ {
+ unsigned long val = iopte_val(*iopte);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 14:42:01 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 17 Apr 2007 14:40:46 -0700 (PDT)
+Subject: Fix compat sys_ipc() on sparc64
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070417.144046.59656081.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+The 32-bit syscall trampoline for sys_ipc() on sparc64
+was sign extending various arguments, which is bogus when
+using compat_sys_ipc() since that function expects zero
+extended copies of all the arguments.
+
+This bug breaks the sparc64 kernel when built with gcc-4.2.x
+among other things.
+
+[SPARC64]: Fix arg passing to compat_sys_ipc().
+
+Do not sign extend args using the sys32_ipc stub, that is
+buggy and unnecessary.
+
+Based upon an excellent report by Mikael Pettersson.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/sys32.S | 1 -
+ arch/sparc64/kernel/systbls.S | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/sparc64/kernel/sys32.S
++++ b/arch/sparc64/kernel/sys32.S
+@@ -91,7 +91,6 @@ SIGN1(sys32_select, compat_sys_select, %
+ SIGN1(sys32_mkdir, sys_mkdir, %o1)
+ SIGN3(sys32_futex, compat_sys_futex, %o1, %o2, %o5)
+ SIGN1(sys32_sysfs, compat_sys_sysfs, %o0)
+-SIGN3(sys32_ipc, compat_sys_ipc, %o1, %o2, %o3)
+ SIGN2(sys32_sendfile, compat_sys_sendfile, %o0, %o1)
+ SIGN2(sys32_sendfile64, compat_sys_sendfile64, %o0, %o1)
+ SIGN1(sys32_prctl, sys_prctl, %o0)
+--- a/arch/sparc64/kernel/systbls.S
++++ b/arch/sparc64/kernel/systbls.S
+@@ -62,7 +62,7 @@ sys_call_table32:
+ /*200*/ .word sys32_ssetmask, sys_sigsuspend, compat_sys_newlstat, sys_uselib, compat_sys_old_readdir
+ .word sys32_readahead, sys32_socketcall, sys32_syslog, sys32_lookup_dcookie, sys32_fadvise64
+ /*210*/ .word sys32_fadvise64_64, sys32_tgkill, sys32_waitpid, sys_swapoff, sys32_sysinfo
+- .word sys32_ipc, sys32_sigreturn, sys_clone, sys32_ioprio_get, compat_sys_adjtimex
++ .word compat_sys_ipc, sys32_sigreturn, sys_clone, sys32_ioprio_get, compat_sys_adjtimex
+ /*220*/ .word sys32_sigprocmask, sys_ni_syscall, sys32_delete_module, sys_ni_syscall, sys32_getpgid
+ .word sys32_bdflush, sys32_sysfs, sys_nis_syscall, sys32_setfsuid16, sys32_setfsgid16
+ /*230*/ .word sys32_select, compat_sys_time, sys32_splice, compat_sys_stime, compat_sys_statfs64
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 14:45:21 2007
+From: John Heffner <jheffner@psc.edu>
+Date: Tue, 17 Apr 2007 14:44:06 -0700 (PDT)
+Subject: Fix errors in tcp_mem[] calculations.
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070417.144406.48528481.davem@davemloft.net>
+
+From: John Heffner <jheffner@psc.edu>
+
+In 2.6.18 a change was made to the tcp_mem[] calculations,
+but this causes regressions for some folks up to 2.6.20
+
+The following fix to smooth out the calculation from the
+pending 2.6.21 tree by John Heffner fixes the problem for
+these folks.
+
+[TCP]: Fix tcp_mem[] initialization.
+
+Change tcp_mem initialization function. The fraction of total memory
+is now a continuous function of memory size, and independent of page
+size.
+
+Signed-off-by: John Heffner <jheffner@psc.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2457,11 +2457,18 @@ void __init tcp_init(void)
+ sysctl_max_syn_backlog = 128;
+ }
+
+- /* Allow no more than 3/4 kernel memory (usually less) allocated to TCP */
+- sysctl_tcp_mem[0] = (1536 / sizeof (struct inet_bind_hashbucket)) << order;
+- sysctl_tcp_mem[1] = sysctl_tcp_mem[0] * 4 / 3;
++ /* Set the pressure threshold to be a fraction of global memory that
++ * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
++ * memory, with a floor of 128 pages.
++ */
++ limit = min(nr_all_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
++ limit = (limit * (nr_all_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
++ limit = max(limit, 128UL);
++ sysctl_tcp_mem[0] = limit / 4 * 3;
++ sysctl_tcp_mem[1] = limit;
+ sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2;
+
++ /* Set per-socket limits to no more than 1/128 the pressure threshold */
+ limit = ((unsigned long)sysctl_tcp_mem[1]) << (PAGE_SHIFT - 7);
+ max_share = min(4UL*1024*1024, limit);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Apr 18 15:15:24 2007
+From: Olaf Kirch <olaf.kirch@oracle.com>
+Date: Wed, 18 Apr 2007 15:14:14 -0700 (PDT)
+Subject: Fix IRDA oops'er
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070418.151414.10298165.davem@davemloft.net>
+
+From: Olaf Kirch <olaf.kirch@oracle.com>
+
+This fixes and OOPS due to incorrect socket orpahning in the
+IRDA stack.
+
+[IrDA]: Correctly handling socket error
+
+This patch fixes an oops first reported in mid 2006 - see
+http://lkml.org/lkml/2006/8/29/358 The cause of this bug report is that
+when an error is signalled on the socket, irda_recvmsg_stream returns
+without removing a local wait_queue variable from the socket's sk_sleep
+queue. This causes havoc further down the road.
+
+In response to this problem, a patch was made that invoked sock_orphan on
+the socket when receiving a disconnect indication. This is not a good fix,
+as this sets sk_sleep to NULL, causing applications sleeping in recvmsg
+(and other places) to oops.
+
+This is against the latest net-2.6 and should be considered for -stable
+inclusion.
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -138,7 +138,6 @@ static void irda_disconnect_indication(v
+ sk->sk_shutdown |= SEND_SHUTDOWN;
+
+ sk->sk_state_change(sk);
+- sock_orphan(sk);
+ release_sock(sk);
+
+ /* Close our TSAP.
+@@ -1446,7 +1445,7 @@ static int irda_recvmsg_stream(struct ki
+ */
+ ret = sock_error(sk);
+ if (ret)
+- break;
++ ;
+ else if (sk->sk_shutdown & RCV_SHUTDOWN)
+ ;
+ else if (noblock)
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 14:47:42 2007
+From: Aubrey.Li <aubreylee@gmail.com>
+Date: Tue, 17 Apr 2007 14:46:33 -0700 (PDT)
+Subject: Fix netpoll UDP input path
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070417.144633.08322607.davem@davemloft.net>
+
+From: Aubrey.Li <aubreylee@gmail.com>
+
+Netpoll UDP input handler needs to pull up the UDP headers
+and handle receive checksum offloading properly just like
+the normal UDP input path does else we get corrupted
+checksums.
+
+[NET]: Fix UDP checksum issue in net poll mode.
+
+In net poll mode, the current checksum function doesn't consider the
+kind of packet which is padded to reach a specific minimum length. I
+believe that's the problem causing my test case failed. The following
+patch fixed this issue.
+
+Signed-off-by: Aubrey.Li <aubreylee@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/netpoll.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -471,6 +471,13 @@ int __netpoll_rx(struct sk_buff *skb)
+ if (skb->len < len || len < iph->ihl*4)
+ goto out;
+
++ /*
++ * Our transport medium may have padded the buffer out.
++ * Now We trim to the true length of the frame.
++ */
++ if (pskb_trim_rcsum(skb, len))
++ goto out;
++
+ if (iph->protocol != IPPROTO_UDP)
+ goto out;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 17 14:36:22 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 17 Apr 2007 14:35:07 -0700 (PDT)
+Subject: Fix qlogicpti DMA unmapping
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070417.143507.85411086.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[SCSI] QLOGICPTI: Do not unmap DMA unless we actually mapped something.
+
+We only map DMA when cmd->request_bufflen is non-zero for non-sg
+buffers, we thus should make the same check when unmapping.
+
+Based upon a report from Pasi Pirhonen.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/qlogicpti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qlogicpti.c
++++ b/drivers/scsi/qlogicpti.c
+@@ -1281,7 +1281,7 @@ static struct scsi_cmnd *qlogicpti_intr_
+ (struct scatterlist *)Cmnd->request_buffer,
+ Cmnd->use_sg,
+ Cmnd->sc_data_direction);
+- } else {
++ } else if (Cmnd->request_bufflen) {
+ sbus_unmap_single(qpti->sdev,
+ (__u32)((unsigned long)Cmnd->SCp.ptr),
+ Cmnd->request_bufflen,
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Apr 19 13:33:06 2007
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 19 Apr 2007 16:31:23 -0400
+Subject: [stable] NFS: Fix an Oops in nfs_setattr()
+To: linux-stable <stable@kernel.org>
+Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
+Message-ID: <4627D19B.10208@redhat.com>
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+NFS: Fix an Oops in nfs_setattr()
+
+It looks like nfs_setattr() and nfs_rename() also need to test whether the
+target is a regular file before calling nfs_wb_all()...
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c | 3 ++-
+ fs/nfs/inode.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1659,7 +1659,8 @@ go_ahead:
+ * ... prune child dentries and writebacks if needed.
+ */
+ if (atomic_read(&old_dentry->d_count) > 1) {
+- nfs_wb_all(old_inode);
++ if (S_ISREG(old_inode->i_mode))
++ nfs_wb_all(old_inode);
+ shrink_dcache_parent(old_dentry);
+ }
+ nfs_inode_return_delegation(old_inode);
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -334,8 +334,10 @@ nfs_setattr(struct dentry *dentry, struc
+ lock_kernel();
+ nfs_begin_data_update(inode);
+ /* Write all dirty data */
+- filemap_write_and_wait(inode->i_mapping);
+- nfs_wb_all(inode);
++ if (S_ISREG(inode->i_mode)) {
++ filemap_write_and_wait(inode->i_mapping);
++ nfs_wb_all(inode);
++ }
+ /*
+ * Return any delegations if we're going to change ACLs
+ */
holepunch-fix-disconnected-pages-after-second-truncate.patch
holepunch-fix-mmap_sem-i_mutex-deadlock.patch
fix-sparc64-sbus-iommu-allocator.patch
+fix-qlogicpti-dma-unmapping.patch
+fix-compat-sys_ipc-on-sparc64.patch
+fix-bogus-inline-directive-in-sparc64-pci-code.patch
+fix-errors-in-tcp_mem-calculations.patch
+fix-netpoll-udp-input-path.patch
+fix-irda-oops-er.patch
+cache_k8_northbridges-overflows-beyond-allocation.patch
+exec.c-fix-coredump-to-pipe-problem-and-obscure-security-hole.patch
+nfs-fix-an-oops-in-nfs_setattr.patch
+x86-don-t-probe-for-ddc-on-vbe1.2.patch
+vt-fix-potential-race-in-vt_waitactive-handler.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Apr 19 13:36:11 2007
+From: Michal Januszewski <spock@gentoo.org>
+Date: Thu, 19 Apr 2007 16:34:50 -0400
+Subject: vt: fix potential race in VT_WAITACTIVE handler
+To: linux-stable <stable@kernel.org>
+Cc: Antonino Daplas <adaplas@pol.net>
+Message-ID: <4627D26A.70806@redhat.com>
+
+From: Michal Januszewski <spock@gentoo.org>
+
+[PATCH] vt: fix potential race in VT_WAITACTIVE handler
+
+On a multiprocessor machine the VT_WAITACTIVE ioctl call may return 0 if
+fg_console has already been updated in redraw_screen() but the console
+switch itself hasn't been completed. Fix this by checking fg_console in
+vt_waitactive() with the console sem held.
+
+Signed-off-by: Michal Januszewski <spock@gentoo.org>
+Acked-by: Antonino Daplas <adaplas@pol.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/vt_ioctl.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/vt_ioctl.c
++++ b/drivers/char/vt_ioctl.c
+@@ -1038,10 +1038,22 @@ int vt_waitactive(int vt)
+
+ add_wait_queue(&vt_activate_queue, &wait);
+ for (;;) {
+- set_current_state(TASK_INTERRUPTIBLE);
+ retval = 0;
+- if (vt == fg_console)
++
++ /*
++ * Synchronize with redraw_screen(). By acquiring the console
++ * semaphore we make sure that the console switch is completed
++ * before we return. If we didn't wait for the semaphore, we
++ * could return at a point where fg_console has already been
++ * updated, but the console switch hasn't been completed.
++ */
++ acquire_console_sem();
++ set_current_state(TASK_INTERRUPTIBLE);
++ if (vt == fg_console) {
++ release_console_sem();
+ break;
++ }
++ release_console_sem();
+ retval = -EINTR;
+ if (signal_pending(current))
+ break;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Apr 19 13:34:34 2007
+From: Zwane Mwaikambo <zwane@infradead.org>
+Date: Thu, 19 Apr 2007 16:33:13 -0400
+Subject: x86: Don't probe for DDC on VBE1.2
+To: linux-stable <stable@kernel.org>
+Cc: Andi Kleen <ak@suse.de>, Zwane Mwaikambo <zwane@infradead.org>
+Message-ID: <4627D209.4000201@redhat.com>
+
+From: Zwane Mwaikambo <zwane@infradead.org>
+
+[PATCH] x86: Don't probe for DDC on VBE1.2
+
+VBE1.2 doesn't support function 15h (DDC) resulting in a 'hang' whilst
+uncompressing kernel with some video cards. Make sure we check VBE version
+before fiddling around with DDC.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=1458
+
+Opened: 2003-10-30 09:12 Last update: 2007-02-13 22:03
+
+Much thanks to Tobias Hain for help in testing and investigating the bug.
+Tested on;
+
+i386, Chips & Technologies 65548 VESA VBE 1.2
+CONFIG_VIDEO_SELECT=Y
+CONFIG_FIRMWARE_EDID=Y
+
+Untested on x86_64.
+
+Signed-off-by: Zwane Mwaikambo <zwane@infradead.org>
+Signed-off-by: Andi Kleen <ak@suse.de>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/boot/video.S | 14 ++++++++++++++
+ arch/x86_64/boot/video.S | 14 ++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+--- a/arch/i386/boot/video.S
++++ b/arch/i386/boot/video.S
+@@ -571,6 +571,16 @@ setr1: lodsw
+ jmp _m_s
+
+ check_vesa:
++#ifdef CONFIG_FIRMWARE_EDID
++ leaw modelist+1024, %di
++ movw $0x4f00, %ax
++ int $0x10
++ cmpw $0x004f, %ax
++ jnz setbad
++
++ movw 4(%di), %ax
++ movw %ax, vbe_version
++#endif
+ leaw modelist+1024, %di
+ subb $VIDEO_FIRST_VESA>>8, %bh
+ movw %bx, %cx # Get mode information structure
+@@ -1945,6 +1955,9 @@ store_edid:
+ rep
+ stosl
+
++ cmpw $0x0200, vbe_version # only do EDID on >= VBE2.0
++ jl no_edid
++
+ pushw %es # save ES
+ xorw %di, %di # Report Capability
+ pushw %di
+@@ -1987,6 +2000,7 @@ do_restore: .byte 0 # Screen contents al
+ svga_prefix: .byte VIDEO_FIRST_BIOS>>8 # Default prefix for BIOS modes
+ graphic_mode: .byte 0 # Graphic mode with a linear frame buffer
+ dac_size: .byte 6 # DAC bit depth
++vbe_version: .word 0 # VBE bios version
+
+ # Status messages
+ keymsg: .ascii "Press <RETURN> to see video modes available, "
+--- a/arch/x86_64/boot/video.S
++++ b/arch/x86_64/boot/video.S
+@@ -571,6 +571,16 @@ setr1: lodsw
+ jmp _m_s
+
+ check_vesa:
++#ifdef CONFIG_FIRMWARE_EDID
++ leaw modelist+1024, %di
++ movw $0x4f00, %ax
++ int $0x10
++ cmpw $0x004f, %ax
++ jnz setbad
++
++ movw 4(%di), %ax
++ movw %ax, vbe_version
++#endif
+ leaw modelist+1024, %di
+ subb $VIDEO_FIRST_VESA>>8, %bh
+ movw %bx, %cx # Get mode information structure
+@@ -1945,6 +1955,9 @@ store_edid:
+ rep
+ stosl
+
++ cmpw $0x0200, vbe_version # only do EDID on >= VBE2.0
++ jl no_edid
++
+ pushw %es # save ES
+ xorw %di, %di # Report Capability
+ pushw %di
+@@ -1987,6 +2000,7 @@ do_restore: .byte 0 # Screen contents al
+ svga_prefix: .byte VIDEO_FIRST_BIOS>>8 # Default prefix for BIOS modes
+ graphic_mode: .byte 0 # Graphic mode with a linear frame buffer
+ dac_size: .byte 6 # DAC bit depth
++vbe_version: .word 0 # VBE bios version
+
+ # Status messages
+ keymsg: .ascii "Press <RETURN> to see video modes available, "
projects / thirdparty / kernel / stable-queue.git / commitdiff
