--- /dev/null
+From greg@press.kroah.org Fri Jan 27 18:00:39 2006
+Message-Id: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 17:58:41 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 0/6] 2.6.14.7 -stable review
+Status: RO
+Content-Length: 735
+Lines: 17
+
+This is the start of the stable review cycle for the 2.6.14.7 release.
+There are 6 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the Cc:
+line. If you wish to be a reviewer, please email stable@kernel.org to
+add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Monday, January 30, 00:00:00 UTC. Anything
+received after that time, might be too late.
+
+thanks,
+
+the -stable release team
+
+From greg@press.kroah.org Fri Jan 27 18:00:40 2006
+Message-Id: <20060128020039.784060000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, shaohua.li@intel.com
+Subject: [patch 1/6] setting irq affinity is broken in ia32 with MSI enabled
+Content-Disposition: inline; filename=setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch
+Status: RO
+Content-Length: 1167
+Lines: 41
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+Setting irq affinity stops working when MSI is enabled. With MSI, move_irq
+is empty, so we can't change irq affinity. It appears a typo in Ashok's
+original commit for this issue. X86_64 actually is using move_native_irq.
+
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/i386/kernel/io_apic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.14.6.orig/arch/i386/kernel/io_apic.c
++++ linux-2.6.14.6/arch/i386/kernel/io_apic.c
+@@ -1937,7 +1937,7 @@ static void ack_edge_ioapic_vector(unsig
+ {
+ int irq = vector_to_irq(vector);
+
+- move_irq(vector);
++ move_native_irq(vector);
+ ack_edge_ioapic_irq(irq);
+ }
+
+@@ -1952,7 +1952,7 @@ static void end_level_ioapic_vector (uns
+ {
+ int irq = vector_to_irq(vector);
+
+- move_irq(vector);
++ move_native_irq(vector);
+ end_level_ioapic_irq(irq);
+ }
+
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:00:40 2006
+Message-Id: <20060128020040.687499000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:02 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, davem@davemloft.net, bdschuym@pandora.be
+Subject: [patch 2/6] [EBTABLES] Don't match tcp/udp source/destination port for IP fragments
+Content-Disposition: inline; filename=fix-bridge-netfilter-matching-ip-fragments.patch
+Status: RO
+Content-Length: 1065
+Lines: 34
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Bart De Schuymer <bdschuym@pandora.be>
+
+Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/bridge/netfilter/ebt_ip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.14.6.orig/net/bridge/netfilter/ebt_ip.c
++++ linux-2.6.14.6/net/bridge/netfilter/ebt_ip.c
+@@ -15,6 +15,7 @@
+ #include <linux/netfilter_bridge/ebtables.h>
+ #include <linux/netfilter_bridge/ebt_ip.h>
+ #include <linux/ip.h>
++#include <net/ip.h>
+ #include <linux/in.h>
+ #include <linux/module.h>
+
+@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk
+ if (!(info->bitmask & EBT_IP_DPORT) &&
+ !(info->bitmask & EBT_IP_SPORT))
+ return EBT_MATCH;
++ if (ntohs(ih->frag_off) & IP_OFFSET)
++ return EBT_NOMATCH;
+ pptr = skb_header_pointer(skb, ih->ihl*4,
+ sizeof(_ports), &_ports);
+ if (pptr == NULL)
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:00:41 2006
+Message-Id: <20060128020041.271240000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:03 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, davem@davemloft.net, richm@oldelvet.org.uk
+Subject: [patch 3/6] [SPARC64]: Fix ptrace/strace
+Content-Disposition: inline; filename=sparc64-fix-ptrace.patch
+Status: RO
+Content-Length: 1392
+Lines: 45
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Richard Mortimer <richm@oldelvet.org.uk>
+
+Don't clobber register %l0 while checking TI_SYS_NOERROR value in
+syscall return path. This bug was introduced by:
+
+db7d9a4eb700be766cc9f29241483dbb1e748832
+
+Problem narrowed down by Luis F. Ortiz and Richard Mortimer.
+
+I tried using %l2 as suggested by Luis and that works for me.
+
+Looking at the code I wonder if it makes sense to simplify the code
+a little bit. The following works for me but I'm not sure how to
+exercise the "NOERROR" codepath.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc64/kernel/entry.S | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- linux-2.6.14.6.orig/arch/sparc64/kernel/entry.S
++++ linux-2.6.14.6/arch/sparc64/kernel/entry.S
+@@ -1657,13 +1657,10 @@ ret_sys_call:
+ /* Check if force_successful_syscall_return()
+ * was invoked.
+ */
+- ldub [%curptr + TI_SYS_NOERROR], %l0
+- brz,pt %l0, 1f
+- nop
+- ba,pt %xcc, 80f
++ ldub [%curptr + TI_SYS_NOERROR], %l2
++ brnz,a,pn %l2, 80f
+ stb %g0, [%curptr + TI_SYS_NOERROR]
+
+-1:
+ cmp %o0, -ERESTART_RESTARTBLOCK
+ bgeu,pn %xcc, 1f
+ andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:00:43 2006
+Message-Id: <20060128020042.145964000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:04 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, davem@davemloft.net
+Subject: [patch 4/6] [SPARC64]: Fix sys_fstat64() entry in 64-bit syscall table.
+Content-Disposition: inline; filename=sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch
+Status: RO
+Content-Length: 1179
+Lines: 28
+
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: "David S. Miller" <davem@davemloft.net>
+
+Noticed by Jakub Jelinek.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc64/kernel/systbls.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.14.6.orig/arch/sparc64/kernel/systbls.S
++++ linux-2.6.14.6/arch/sparc64/kernel/systbls.S
+@@ -98,7 +98,7 @@ sys_call_table:
+ .word sys_umount, sys_setgid, sys_getgid, sys_signal, sys_geteuid
+ /*50*/ .word sys_getegid, sys_acct, sys_memory_ordering, sys_nis_syscall, sys_ioctl
+ .word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve
+-/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_stat64, sys_getpagesize
++/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize
+ .word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall
+ /*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect
+ .word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:00:45 2006
+Message-Id: <20060128020044.285351000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:05 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, kaber@trash.net
+Subject: [patch 5/6] [NETFILTER]: Fix crash in ip_nat_pptp (CVE-2006-0036)
+Content-Disposition: inline; filename=netfilter-fix-crash-in-ip_nat_pptp.patch
+Status: RO
+Content-Length: 1004
+Lines: 31
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Patrick McHardy <kaber@trash.net>
+
+When an inbound PPTP_IN_CALL_REQUEST packet is received the
+PPTP NAT helper uses a NULL pointer in pointer arithmentic to
+calculate the offset in the packet which needs to be mangled
+and corrupts random memory or crashes.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
++++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
+@@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
+ break;
+ case PPTP_IN_CALL_REQUEST:
+ /* only need to nat in case PAC is behind NAT box */
+- break;
++ return NF_ACCEPT;
+ case PPTP_WAN_ERROR_NOTIFY:
+ pcid = &pptpReq->wanerr.peersCallID;
+ break;
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:00:46 2006
+Message-Id: <20060128020045.469709000@press.kroah.org>
+References: <20060128015840.722214000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:06 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, kaber@trash.net
+Subject: [patch 6/6] [NETFILTER]: Fix another crash in ip_nat_pptp (CVE-2006-0037)
+Content-Disposition: inline; filename=netfilter-fix-another-crash-in-ip_nat_pptp.patch
+Status: RO
+Content-Length: 5633
+Lines: 152
+
+-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Patrick McHardy <kaber@trash.net>
+
+The PPTP NAT helper calculates the offset at which the packet needs
+to be mangled as difference between two pointers to the header. With
+non-linear skbs however the pointers may point to two seperate buffers
+on the stack and the calculation results in a wrong offset beeing
+used.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+
+--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
++++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
+@@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
+ {
+ struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
+ struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
+-
+- u_int16_t msg, *cid = NULL, new_callid;
++ u_int16_t msg, new_callid;
++ unsigned int cid_off;
+
+ new_callid = htons(ct_pptp_info->pns_call_id);
+
+ switch (msg = ntohs(ctlh->messageType)) {
+ case PPTP_OUT_CALL_REQUEST:
+- cid = &pptpReq->ocreq.callID;
++ cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
+ /* FIXME: ideally we would want to reserve a call ID
+ * here. current netfilter NAT core is not able to do
+ * this :( For now we use TCP source port. This breaks
+@@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
+ ct_pptp_info->pns_call_id = ntohs(new_callid);
+ break;
+ case PPTP_IN_CALL_REPLY:
+- cid = &pptpReq->icreq.callID;
++ cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
+ break;
+ case PPTP_CALL_CLEAR_REQUEST:
+- cid = &pptpReq->clrreq.callID;
++ cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
+ break;
+ default:
+ DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
+@@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
+
+ /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
+ * down to here */
+-
+- IP_NF_ASSERT(cid);
+-
+ DEBUGP("altering call id from 0x%04x to 0x%04x\n",
+- ntohs(*cid), ntohs(new_callid));
++ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
+
+ /* mangle packet */
+ if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
+- sizeof(new_callid),
+- (char *)&new_callid,
+- sizeof(new_callid)) == 0)
++ cid_off + sizeof(struct pptp_pkt_hdr) +
++ sizeof(struct PptpControlHeader),
++ sizeof(new_callid), (char *)&new_callid,
++ sizeof(new_callid)) == 0)
+ return NF_DROP;
+
+ return NF_ACCEPT;
+@@ -297,7 +294,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
+ union pptp_ctrl_union *pptpReq)
+ {
+ struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
+- u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
++ u_int16_t msg, new_cid = 0, new_pcid;
++ unsigned int pcid_off, cid_off = 0;
+
+ int ret = NF_ACCEPT, rv;
+
+@@ -305,23 +303,23 @@ pptp_inbound_pkt(struct sk_buff **pskb,
+
+ switch (msg = ntohs(ctlh->messageType)) {
+ case PPTP_OUT_CALL_REPLY:
+- pcid = &pptpReq->ocack.peersCallID;
+- cid = &pptpReq->ocack.callID;
++ pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
++ cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
+ break;
+ case PPTP_IN_CALL_CONNECT:
+- pcid = &pptpReq->iccon.peersCallID;
++ pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
+ break;
+ case PPTP_IN_CALL_REQUEST:
+ /* only need to nat in case PAC is behind NAT box */
+ return NF_ACCEPT;
+ case PPTP_WAN_ERROR_NOTIFY:
+- pcid = &pptpReq->wanerr.peersCallID;
++ pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
+ break;
+ case PPTP_CALL_DISCONNECT_NOTIFY:
+- pcid = &pptpReq->disc.callID;
++ pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
+ break;
+ case PPTP_SET_LINK_INFO:
+- pcid = &pptpReq->setlink.peersCallID;
++ pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
+ break;
+
+ default:
+@@ -343,25 +341,24 @@ pptp_inbound_pkt(struct sk_buff **pskb,
+ * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
+
+ /* mangle packet */
+- IP_NF_ASSERT(pcid);
+ DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
+- ntohs(*pcid), ntohs(new_pcid));
++ ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
+
+- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+- (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
++ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
++ pcid_off + sizeof(struct pptp_pkt_hdr) +
++ sizeof(struct PptpControlHeader),
+ sizeof(new_pcid), (char *)&new_pcid,
+ sizeof(new_pcid));
+ if (rv != NF_ACCEPT)
+ return rv;
+
+ if (new_cid) {
+- IP_NF_ASSERT(cid);
+ DEBUGP("altering call id from 0x%04x to 0x%04x\n",
+- ntohs(*cid), ntohs(new_cid));
+- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
+- sizeof(new_cid),
+- (char *)&new_cid,
++ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
++ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
++ cid_off + sizeof(struct pptp_pkt_hdr) +
++ sizeof(struct PptpControlHeader),
++ sizeof(new_cid), (char *)&new_cid,
+ sizeof(new_cid));
+ if (rv != NF_ACCEPT)
+ return rv;
+
+--
+
--- /dev/null
+From greg@press.kroah.org Fri Jan 27 18:08:10 2006
+Message-Id: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 18:06:29 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/12] 2.6.15.2 -stable review
+Content-Length: 739
+Lines: 18
+
+
+This is the start of the stable review cycle for the 2.6.11.5.2 release.
+There are 12 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the Cc:
+line. If you wish to be a reviewer, please email stable@kernel.org to
+add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Monday, January 30, 00:00:00 UTC. Anything
+received after that time, might be too late.
+
+thanks,
+
+the -stable release team
+
+From greg@press.kroah.org Fri Jan 27 18:08:10 2006
+Message-Id: <20060128020810.644064000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, clemens@ladisch.de, tiwai@suse.de,
+ alsa-devel@lists.sourceforge.net
+Subject: [patch 01/12] usb-audio: don't use empty packets at start of playback
+Content-Disposition: inline; filename=usb-audio-dont-use-empty-packets-at-start-of-playback.patch
+Content-Length: 2247
+Lines: 69
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+Some widespread USB interface chips with adaptive iso endpoints hang
+after receiving a series of empty packets when they expect data. This
+completely disables audio playback on those devices. To avoid this, we
+have to send packets containing silence (zero samples) instead.
+
+ALSA bug: http://bugtrack.alsa-project.org/alsa-bug/view.php?id=1585
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ sound/usb/usbaudio.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+--- linux-2.6.15.1.orig/sound/usb/usbaudio.c
++++ linux-2.6.15.1/sound/usb/usbaudio.c
+@@ -480,22 +480,38 @@ static int retire_playback_sync_urb_hs(s
+ /*
+ * Prepare urb for streaming before playback starts.
+ *
+- * We don't care about (or have) any data, so we just send a transfer delimiter.
++ * We don't yet have data, so we send a frame of silence.
+ */
+ static int prepare_startup_playback_urb(snd_usb_substream_t *subs,
+ snd_pcm_runtime_t *runtime,
+ struct urb *urb)
+ {
+- unsigned int i;
++ unsigned int i, offs, counts;
+ snd_urb_ctx_t *ctx = urb->context;
++ int stride = runtime->frame_bits >> 3;
+
++ offs = 0;
+ urb->dev = ctx->subs->dev;
+ urb->number_of_packets = subs->packs_per_ms;
+ for (i = 0; i < subs->packs_per_ms; ++i) {
+- urb->iso_frame_desc[i].offset = 0;
+- urb->iso_frame_desc[i].length = 0;
++ /* calculate the size of a packet */
++ if (subs->fill_max)
++ counts = subs->maxframesize; /* fixed */
++ else {
++ subs->phase = (subs->phase & 0xffff)
++ + (subs->freqm << subs->datainterval);
++ counts = subs->phase >> 16;
++ if (counts > subs->maxframesize)
++ counts = subs->maxframesize;
++ }
++ urb->iso_frame_desc[i].offset = offs * stride;
++ urb->iso_frame_desc[i].length = counts * stride;
++ offs += counts;
+ }
+- urb->transfer_buffer_length = 0;
++ urb->transfer_buffer_length = offs * stride;
++ memset(urb->transfer_buffer,
++ subs->cur_audiofmt->format == SNDRV_PCM_FORMAT_U8 ? 0x80 : 0,
++ offs * stride);
+ return 0;
+ }
+
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:10 2006
+Message-Id: <20060128020810.762920000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:02 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, axboe@suse.de
+Subject: [patch 02/12] [BLOCK] Kill blk_attempt_remerge()
+Content-Disposition: inline; filename=kill-blk_attempt_remerge.patch
+Content-Length: 3249
+Lines: 95
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Jens Axboe <axboe@suse.de>
+
+[BLOCK] Kill blk_attempt_remerge()
+
+It's a broken interface, it's done way too late. And apparently it triggers
+slab problems in recent kernels as well (most likely after the generic dispatch
+code was merged). So kill it, ide-cd is the only user of it.
+
+chrisw: backport to 2.6.15 tree
+
+Signed-off-by: Jens Axboe <axboe@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ block/ll_rw_blk.c | 24 ------------------------
+ drivers/ide/ide-cd.c | 10 ----------
+ include/linux/blkdev.h | 1 -
+ 3 files changed, 35 deletions(-)
+
+--- linux-2.6.15.1.orig/block/ll_rw_blk.c
++++ linux-2.6.15.1/block/ll_rw_blk.c
+@@ -2609,30 +2609,6 @@ static inline int attempt_front_merge(re
+ return 0;
+ }
+
+-/**
+- * blk_attempt_remerge - attempt to remerge active head with next request
+- * @q: The &request_queue_t belonging to the device
+- * @rq: The head request (usually)
+- *
+- * Description:
+- * For head-active devices, the queue can easily be unplugged so quickly
+- * that proper merging is not done on the front request. This may hurt
+- * performance greatly for some devices. The block layer cannot safely
+- * do merging on that first request for these queues, but the driver can
+- * call this function and make it happen any way. Only the driver knows
+- * when it is safe to do so.
+- **/
+-void blk_attempt_remerge(request_queue_t *q, struct request *rq)
+-{
+- unsigned long flags;
+-
+- spin_lock_irqsave(q->queue_lock, flags);
+- attempt_back_merge(q, rq);
+- spin_unlock_irqrestore(q->queue_lock, flags);
+-}
+-
+-EXPORT_SYMBOL(blk_attempt_remerge);
+-
+ static int __make_request(request_queue_t *q, struct bio *bio)
+ {
+ struct request *req;
+--- linux-2.6.15.1.orig/drivers/ide/ide-cd.c
++++ linux-2.6.15.1/drivers/ide/ide-cd.c
+@@ -1332,8 +1332,6 @@ static ide_startstop_t cdrom_start_read
+ if (cdrom_read_from_buffer(drive))
+ return ide_stopped;
+
+- blk_attempt_remerge(drive->queue, rq);
+-
+ /* Clear the local sector buffer. */
+ info->nsectors_buffered = 0;
+
+@@ -1874,14 +1872,6 @@ static ide_startstop_t cdrom_start_write
+ return ide_stopped;
+ }
+
+- /*
+- * for dvd-ram and such media, it's a really big deal to get
+- * big writes all the time. so scour the queue and attempt to
+- * remerge requests, often the plugging will not have had time
+- * to do this properly
+- */
+- blk_attempt_remerge(drive->queue, rq);
+-
+ info->nsectors_buffered = 0;
+
+ /* use dma, if possible. we don't need to check more, since we
+--- linux-2.6.15.1.orig/include/linux/blkdev.h
++++ linux-2.6.15.1/include/linux/blkdev.h
+@@ -559,7 +559,6 @@ extern void register_disk(struct gendisk
+ extern void generic_make_request(struct bio *bio);
+ extern void blk_put_request(struct request *);
+ extern void blk_end_sync_rq(struct request *rq);
+-extern void blk_attempt_remerge(request_queue_t *, struct request *);
+ extern struct request *blk_get_request(request_queue_t *, int, gfp_t);
+ extern void blk_insert_request(request_queue_t *, struct request *, int, void *);
+ extern void blk_requeue_request(request_queue_t *, struct request *);
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:10 2006
+Message-Id: <20060128020810.878061000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:03 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, dtor@mail.ru
+Subject: [patch 03/12] Input: HID - fix an oops in PID initialization code
+Content-Disposition: inline; filename=input-hid-fix-an-oops-in-pid-initialization-code.patch
+Content-Length: 966
+Lines: 29
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Dmitry Torokhov <dtor_core@ameritech.net>
+
+Input: HID - fix an oops in PID initialization code
+
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/usb/input/pid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.1.orig/drivers/usb/input/pid.c
++++ linux-2.6.15.1/drivers/usb/input/pid.c
+@@ -259,7 +259,7 @@ static int hid_pid_upload_effect(struct
+ int hid_pid_init(struct hid_device *hid)
+ {
+ struct hid_ff_pid *private;
+- struct hid_input *hidinput = list_entry(&hid->inputs, struct hid_input, list);
++ struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
+ struct input_dev *input_dev = hidinput->input;
+
+ private = hid->ff_private = kzalloc(sizeof(struct hid_ff_pid), GFP_KERNEL);
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.234763000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:06 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, 76306.1226@compuserve.com,
+ nickpiggin@yahoo.com.au, axboe@suse.de
+Subject: [patch 06/12] elevator=as back-compatibility
+Content-Disposition: inline; filename=elevator-as-back-compatibility.patch
+Content-Length: 1103
+Lines: 38
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Chuck Ebbert <76306.1226@compuserve.com>
+
+As of 2.6.15 you need to use "anticipatory" instead of "as". Fix that up
+so that `elevator=as' still works.
+
+Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
+Cc: Nick Piggin <nickpiggin@yahoo.com.au>
+Cc: Jens Axboe <axboe@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ block/elevator.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- linux-2.6.15.1.orig/block/elevator.c
++++ linux-2.6.15.1/block/elevator.c
+@@ -150,6 +150,13 @@ static void elevator_setup_default(void)
+ if (!chosen_elevator[0])
+ strcpy(chosen_elevator, CONFIG_DEFAULT_IOSCHED);
+
++ /*
++ * Be backwards-compatible with previous kernels, so users
++ * won't get the wrong elevator.
++ */
++ if (!strcmp(chosen_elevator, "as"))
++ strcpy(chosen_elevator, "anticipatory");
++
+ /*
+ * If the given scheduler is not available, fall back to no-op.
+ */
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.114239000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:05 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, dushistov@mail.ru, adobriyan@gmail.com
+Subject: [patch 05/12] Fix oops in ufs_fill_super at mount time
+Content-Disposition: inline; filename=fix-oops-in-ufs_fill_super-at-mount-time.patch
+Content-Length: 1355
+Lines: 38
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Evgeniy <dushistov@mail.ru>
+
+There's a lack of parenthesis in fs/ufs/utils.h, so instead of the 512th
+byte of buffer, the usb2 pointer will point to the nth structure of type
+ufs_super_block_second.
+
+This can cause a mount-time oops if you're unlucky (especially with
+DEBUG_PAGEALLOC, which is how Alexey Dobriyan saw this problem)
+
+Signed-off-by: Evgeniy Dushistov <dushistov@mail.ru>
+Acked-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/ufs/util.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.15.1.orig/fs/ufs/util.h
++++ linux-2.6.15.1/fs/ufs/util.h
+@@ -255,8 +255,8 @@ extern void _ubh_memcpyubh_(struct ufs_s
+ ((struct ufs_super_block_first *)((ubh)->bh[0]->b_data))
+
+ #define ubh_get_usb_second(ubh) \
+- ((struct ufs_super_block_second *)(ubh)-> \
+- bh[UFS_SECTOR_SIZE >> uspi->s_fshift]->b_data + (UFS_SECTOR_SIZE & ~uspi->s_fmask))
++ ((struct ufs_super_block_second *)((ubh)->\
++ bh[UFS_SECTOR_SIZE >> uspi->s_fshift]->b_data + (UFS_SECTOR_SIZE & ~uspi->s_fmask)))
+
+ #define ubh_get_usb_third(ubh) \
+ ((struct ufs_super_block_third *)((ubh)-> \
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.050239000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:04 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, aviro@redhat.com
+Subject: [patch 04/12] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open (CVE-2005-3356)
+Content-Disposition: inline; filename=fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch
+Content-Length: 3950
+Lines: 143
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Alexander Viro <aviro@redhat.com>
+
+Fixed the refcounting on failure exits in sys_mq_open() and
+cleaned the logics up. Rules are actually pretty simple - dentry_open()
+expects vfsmount and dentry to be pinned down and it either transfers
+them into created struct file or drops them. Old code had been very
+confused in that area - if dentry_open() had failed either in do_open()
+or do_create(), we ended up dentry and mqueue_mnt dropped twice, once
+by dentry_open() cleanup and then by sys_mq_open().
+
+Fix consists of making the rules for do_create() and do_open()
+same as for dentry_open() and updating the sys_mq_open() accordingly;
+that actually leads to more straightforward code and less work on
+normal path.
+
+Signed-off-by: Al Viro <aviro@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ ipc/mqueue.c | 59 +++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 33 insertions(+), 26 deletions(-)
+
+--- linux-2.6.15.1.orig/ipc/mqueue.c
++++ linux-2.6.15.1/ipc/mqueue.c
+@@ -598,15 +598,16 @@ static int mq_attr_ok(struct mq_attr *at
+ static struct file *do_create(struct dentry *dir, struct dentry *dentry,
+ int oflag, mode_t mode, struct mq_attr __user *u_attr)
+ {
+- struct file *filp;
+ struct mq_attr attr;
+ int ret;
+
+- if (u_attr != NULL) {
++ if (u_attr) {
++ ret = -EFAULT;
+ if (copy_from_user(&attr, u_attr, sizeof(attr)))
+- return ERR_PTR(-EFAULT);
++ goto out;
++ ret = -EINVAL;
+ if (!mq_attr_ok(&attr))
+- return ERR_PTR(-EINVAL);
++ goto out;
+ /* store for use during create */
+ dentry->d_fsdata = &attr;
+ }
+@@ -615,13 +616,14 @@ static struct file *do_create(struct den
+ ret = vfs_create(dir->d_inode, dentry, mode, NULL);
+ dentry->d_fsdata = NULL;
+ if (ret)
+- return ERR_PTR(ret);
++ goto out;
+
+- filp = dentry_open(dentry, mqueue_mnt, oflag);
+- if (!IS_ERR(filp))
+- dget(dentry);
++ return dentry_open(dentry, mqueue_mnt, oflag);
+
+- return filp;
++out:
++ dput(dentry);
++ mntput(mqueue_mnt);
++ return ERR_PTR(ret);
+ }
+
+ /* Opens existing queue */
+@@ -629,20 +631,20 @@ static struct file *do_open(struct dentr
+ {
+ static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE,
+ MAY_READ | MAY_WRITE };
+- struct file *filp;
+
+- if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY))
++ if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) {
++ dput(dentry);
++ mntput(mqueue_mnt);
+ return ERR_PTR(-EINVAL);
++ }
+
+- if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL))
++ if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) {
++ dput(dentry);
++ mntput(mqueue_mnt);
+ return ERR_PTR(-EACCES);
++ }
+
+- filp = dentry_open(dentry, mqueue_mnt, oflag);
+-
+- if (!IS_ERR(filp))
+- dget(dentry);
+-
+- return filp;
++ return dentry_open(dentry, mqueue_mnt, oflag);
+ }
+
+ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
+@@ -670,17 +672,20 @@ asmlinkage long sys_mq_open(const char _
+
+ if (oflag & O_CREAT) {
+ if (dentry->d_inode) { /* entry already exists */
+- filp = (oflag & O_EXCL) ? ERR_PTR(-EEXIST) :
+- do_open(dentry, oflag);
++ error = -EEXIST;
++ if (oflag & O_EXCL)
++ goto out;
++ filp = do_open(dentry, oflag);
+ } else {
+ filp = do_create(mqueue_mnt->mnt_root, dentry,
+ oflag, mode, u_attr);
+ }
+- } else
+- filp = (dentry->d_inode) ? do_open(dentry, oflag) :
+- ERR_PTR(-ENOENT);
+-
+- dput(dentry);
++ } else {
++ error = -ENOENT;
++ if (!dentry->d_inode)
++ goto out;
++ filp = do_open(dentry, oflag);
++ }
+
+ if (IS_ERR(filp)) {
+ error = PTR_ERR(filp);
+@@ -691,8 +696,10 @@ asmlinkage long sys_mq_open(const char _
+ fd_install(fd, filp);
+ goto out_upsem;
+
+-out_putfd:
++out:
++ dput(dentry);
+ mntput(mqueue_mnt);
++out_putfd:
+ put_unused_fd(fd);
+ out_err:
+ fd = error;
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.345934000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:07 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, davem@davemloft.net, richm@oldelvet.org.uk
+Subject: [patch 07/12] Fix timekeeping on sparc64 ultra-IIe machines
+Content-Disposition: inline; filename=sparc64-fix-timekeeping-on-ultra-IIe-machines.patch
+Content-Length: 3053
+Lines: 83
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Richard Mortimer <richm@oldelvet.org.uk>
+
+[SPARC64]: Eliminate race condition reading Hummingbird STICK register
+
+Ensure a consistent value is read from the STICK register by ensuring
+that both high and low are read without high changing due to a roll
+over of the low register.
+
+Various Debian/SPARC users (myself include) have noticed problems with
+Hummingbird based systems. The symptoms are that the system time is
+seen to jump forward 3 days, 6 hours, 11 minutes give or take a few
+seconds. In many cases the system then hangs some time afterwards.
+
+I've spotted a race condition in the code to read the STICK register.
+I could not work out why 3d, 6h, 11m is important but guess that it is
+due to the 2^32 jump of STICK (forwards on one read and then the next
+read will seem to be backwards) during a timer interrupt. I'm guessing
+that a change of -2^32 will get converted to a large unsigned
+increment after the arithmetic manipulation between STICK,
+nanoseconds, jiffies etc.
+
+I did a test where I modified __hbird_read_stick to artificially
+inject rollover faults forcefully every few seconds. With this I saw
+the clock jump over 6 times in 12 hours compared to once every month
+or so.
+
+Signed-off-by: Richard Mortimer <richm@oldelvet.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc64/kernel/time.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- linux-2.6.15.1.orig/arch/sparc64/kernel/time.c
++++ linux-2.6.15.1/arch/sparc64/kernel/time.c
+@@ -280,9 +280,9 @@ static struct sparc64_tick_ops stick_ope
+ * Since STICK is constantly updating, we have to access it carefully.
+ *
+ * The sequence we use to read is:
+- * 1) read low
+- * 2) read high
+- * 3) read low again, if it rolled over increment high by 1
++ * 1) read high
++ * 2) read low
++ * 3) read high again, if it rolled re-read both low and high again.
+ *
+ * Writing STICK safely is also tricky:
+ * 1) write low to zero
+@@ -295,18 +295,18 @@ static struct sparc64_tick_ops stick_ope
+ static unsigned long __hbird_read_stick(void)
+ {
+ unsigned long ret, tmp1, tmp2, tmp3;
+- unsigned long addr = HBIRD_STICK_ADDR;
++ unsigned long addr = HBIRD_STICK_ADDR+8;
+
+- __asm__ __volatile__("ldxa [%1] %5, %2\n\t"
+- "add %1, 0x8, %1\n\t"
+- "ldxa [%1] %5, %3\n\t"
++ __asm__ __volatile__("ldxa [%1] %5, %2\n"
++ "1:\n\t"
+ "sub %1, 0x8, %1\n\t"
++ "ldxa [%1] %5, %3\n\t"
++ "add %1, 0x8, %1\n\t"
+ "ldxa [%1] %5, %4\n\t"
+ "cmp %4, %2\n\t"
+- "blu,a,pn %%xcc, 1f\n\t"
+- " add %3, 1, %3\n"
+- "1:\n\t"
+- "sllx %3, 32, %3\n\t"
++ "bne,a,pn %%xcc, 1b\n\t"
++ " mov %4, %2\n\t"
++ "sllx %4, 32, %4\n\t"
+ "or %3, %4, %0\n\t"
+ : "=&r" (ret), "=&r" (addr),
+ "=&r" (tmp1), "=&r" (tmp2), "=&r" (tmp3)
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.462153000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:08 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, davem@davemloft.net
+Subject: [patch 08/12] [NET]: Make second arg to skb_reserved() signed.
+Content-Disposition: inline; filename=net-make-second-arg-to-skb_reserved-signed.patch
+Content-Length: 1074
+Lines: 34
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: David S. Miller <davem@davemloft.net>
+
+Some subsystems, such as PPP, can send negative values
+here. It just happened to work correctly on 32-bit with
+an unsigned value, but on 64-bit this explodes.
+
+Figured out by Paul Mackerras based upon several PPP crash
+reports.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ include/linux/skbuff.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.1.orig/include/linux/skbuff.h
++++ linux-2.6.15.1/include/linux/skbuff.h
+@@ -927,7 +927,7 @@ static inline int skb_tailroom(const str
+ * Increase the headroom of an empty &sk_buff by reducing the tail
+ * room. This is only allowed for an empty buffer.
+ */
+-static inline void skb_reserve(struct sk_buff *skb, unsigned int len)
++static inline void skb_reserve(struct sk_buff *skb, int len)
+ {
+ skb->data += len;
+ skb->tail += len;
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.579148000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:09 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, ak@suse.de
+Subject: [patch 09/12] Mask off GFP flags before swiotlb_alloc_coherent
+Content-Disposition: inline; filename=mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch
+Content-Length: 732
+Lines: 28
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Andi Kleen <ak@muc.de>
+
+Mask off GFP flags before swiotlb_alloc_coherent
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Chris Wright <chris@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86_64/kernel/pci-gart.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.15.1.orig/arch/x86_64/kernel/pci-gart.c
++++ linux-2.6.15.1/arch/x86_64/kernel/pci-gart.c
+@@ -244,6 +244,7 @@ dma_alloc_coherent(struct device *dev, s
+ get_order(size));
+
+ if (swiotlb) {
++ gfp &= ~(GFP_DMA32|GFP_DMA);
+ return
+ swiotlb_alloc_coherent(dev, size,
+ dma_handle,
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.867358000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:11 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, Markus.Lidel@shadowconnect.com,
+ theonetruekenny@yahoo.com
+Subject: [patch 11/12] Fix i2o_scsi oops on abort
+Content-Disposition: inline; filename=fix-i2o_scsi-oops-on-abort.patch
+Content-Length: 1110
+Lines: 35
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Markus Lidel <Markus.Lidel@shadowconnect.com>
+
+>From http://bugzilla.kernel.org/show_bug.cgi?id=5923
+
+When a scsi command failed, an oops would result.
+
+Back-to-back SMART queries would make the Seagate drives unhappy. The
+second SMART query would timeout, and the command would be aborted.
+
+From: Markus Lidel <Markus.Lidel@shadowconnect.com>
+Cc: Kenny Simpson <theonetruekenny@yahoo.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/message/i2o/i2o_scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.1.orig/drivers/message/i2o/i2o_scsi.c
++++ linux-2.6.15.1/drivers/message/i2o/i2o_scsi.c
+@@ -729,7 +729,7 @@ static int i2o_scsi_abort(struct scsi_cm
+ &msg->u.head[1]);
+ writel(i2o_cntxt_list_get_ptr(c, SCpnt), &msg->body[0]);
+
+- if (i2o_msg_post_wait(c, m, I2O_TIMEOUT_SCSI_SCB_ABORT))
++ if (!i2o_msg_post_wait(c, msg, I2O_TIMEOUT_SCSI_SCB_ABORT))
+ status = SUCCESS;
+
+ return status;
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:11 2006
+Message-Id: <20060128020811.699623000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:10 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, reiser@namesys.com, vitaly@namesys.com
+Subject: [patch 10/12] Someone broke reiserfs v3 mount options and this fixes it
+Content-Disposition: inline; filename=someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch
+Content-Length: 821
+Lines: 28
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Vitaly Fertman <vitaly@namesys.com>
+
+Signed-off-by: Hans Reiser <reiser@namesys.com>
+Signed-off-by: Vitaly Fertman <vitaly@namesys.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/reiserfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.15.1.orig/fs/reiserfs/super.c
++++ linux-2.6.15.1/fs/reiserfs/super.c
+@@ -1131,7 +1131,7 @@ static void handle_attrs(struct super_bl
+ REISERFS_SB(s)->s_mount_opt &= ~(1 << REISERFS_ATTRS);
+ }
+ } else if (le32_to_cpu(rs->s_flags) & reiserfs_attrs_cleared) {
+- REISERFS_SB(s)->s_mount_opt |= REISERFS_ATTRS;
++ REISERFS_SB(s)->s_mount_opt |= (1 << REISERFS_ATTRS);
+ }
+ }
+
+
+--
+
+From greg@press.kroah.org Fri Jan 27 18:08:12 2006
+Message-Id: <20060128020811.929376000@press.kroah.org>
+References: <20060128020629.908825000@press.kroah.org>
+Date: Fri, 27 Jan 2006 00:00:12 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ torvalds@osdl.org,
+ akpm@osdl.org,
+ alan@lxorguk.ukuu.org.uk, ralf@linux-mips.org
+Subject: [patch 12/12] Fix mkiss locking bug
+Content-Disposition: inline; filename=fix-mkiss-locking-bug.patch
+Content-Length: 819
+Lines: 29
+
+2.6.15.2 -stable review patch. If anyone has any objections, please let
+us know.
+
+------------------
+
+From: Ralf Baechle DL5RB <ralf@linux-mips.org>
+
+ax_encaps() forgot to drop the bufferlock at the end of the function.
+Patch is already in 2.6.16-rc1.
+
+Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/hamradio/mkiss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.15.1.orig/drivers/net/hamradio/mkiss.c
++++ linux-2.6.15.1/drivers/net/hamradio/mkiss.c
+@@ -515,6 +515,7 @@ static void ax_encaps(struct net_device
+ count = kiss_esc(p, (unsigned char *)ax->xbuff, len);
+ }
+ }
++ spin_unlock_bh(&ax->buflock);
+
+ set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
+ actual = ax->tty->driver->write(ax->tty, ax->xbuff, count);
+
+--
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
