From: Greg Kroah-Hartman Date: Wed, 31 Oct 2007 15:13:17 +0000 (-0700) Subject: start 2.6.22.11 review series X-Git-Tag: v2.6.22.11~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2cb5b74d7e39c5ba08556bcee72eaadf00aa31a8;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.22.11 review series --- diff --git a/queue-2.6.22/acpi-disable-lower-idle-c-states-across-suspend-resume.patch b/review-2.6.22/acpi-disable-lower-idle-c-states-across-suspend-resume.patch similarity index 100% rename from queue-2.6.22/acpi-disable-lower-idle-c-states-across-suspend-resume.patch rename to review-2.6.22/acpi-disable-lower-idle-c-states-across-suspend-resume.patch diff --git a/queue-2.6.22/add-get_unaligned-to-ieee80211_get_radiotap_len.patch b/review-2.6.22/add-get_unaligned-to-ieee80211_get_radiotap_len.patch similarity index 100% rename from queue-2.6.22/add-get_unaligned-to-ieee80211_get_radiotap_len.patch rename to review-2.6.22/add-get_unaligned-to-ieee80211_get_radiotap_len.patch diff --git a/queue-2.6.22/dm9601-fix-receive-mtu.patch b/review-2.6.22/dm9601-fix-receive-mtu.patch similarity index 100% rename from queue-2.6.22/dm9601-fix-receive-mtu.patch rename to review-2.6.22/dm9601-fix-receive-mtu.patch diff --git a/queue-2.6.22/firewire-fix-unloading-of-fw-ohci-while-devices-are-attached.patch b/review-2.6.22/firewire-fix-unloading-of-fw-ohci-while-devices-are-attached.patch similarity index 100% rename from queue-2.6.22/firewire-fix-unloading-of-fw-ohci-while-devices-are-attached.patch rename to review-2.6.22/firewire-fix-unloading-of-fw-ohci-while-devices-are-attached.patch diff --git a/queue-2.6.22/fix-cls_u32-error-return-handling.patch b/review-2.6.22/fix-cls_u32-error-return-handling.patch similarity index 100% rename from queue-2.6.22/fix-cls_u32-error-return-handling.patch rename to review-2.6.22/fix-cls_u32-error-return-handling.patch diff --git a/queue-2.6.22/fix-esp-host-instance-numbering.patch b/review-2.6.22/fix-esp-host-instance-numbering.patch similarity index 100% rename from queue-2.6.22/fix-esp-host-instance-numbering.patch rename to review-2.6.22/fix-esp-host-instance-numbering.patch diff --git a/queue-2.6.22/fix-ieee80211-handling-of-bogus-hdrlength-field.patch b/review-2.6.22/fix-ieee80211-handling-of-bogus-hdrlength-field.patch similarity index 100% rename from queue-2.6.22/fix-ieee80211-handling-of-bogus-hdrlength-field.patch rename to review-2.6.22/fix-ieee80211-handling-of-bogus-hdrlength-field.patch diff --git a/queue-2.6.22/fix-ipv6-redirect-processing-leads-to-tahi-failures.patch b/review-2.6.22/fix-ipv6-redirect-processing-leads-to-tahi-failures.patch similarity index 100% rename from queue-2.6.22/fix-ipv6-redirect-processing-leads-to-tahi-failures.patch rename to review-2.6.22/fix-ipv6-redirect-processing-leads-to-tahi-failures.patch diff --git a/queue-2.6.22/fix-rose-module-unload-oops.patch b/review-2.6.22/fix-rose-module-unload-oops.patch similarity index 100% rename from queue-2.6.22/fix-rose-module-unload-oops.patch rename to review-2.6.22/fix-rose-module-unload-oops.patch diff --git a/queue-2.6.22/fix-some-cases-of-missed-ipv6-dad.patch b/review-2.6.22/fix-some-cases-of-missed-ipv6-dad.patch similarity index 100% rename from queue-2.6.22/fix-some-cases-of-missed-ipv6-dad.patch rename to review-2.6.22/fix-some-cases-of-missed-ipv6-dad.patch diff --git a/queue-2.6.22/fix-sys_ipc-semctl-on-sparc64.patch b/review-2.6.22/fix-sys_ipc-semctl-on-sparc64.patch similarity index 100% rename from queue-2.6.22/fix-sys_ipc-semctl-on-sparc64.patch rename to review-2.6.22/fix-sys_ipc-semctl-on-sparc64.patch diff --git a/queue-2.6.22/fix-tcp-initial-sequence-number-selection.patch b/review-2.6.22/fix-tcp-initial-sequence-number-selection.patch similarity index 100% rename from queue-2.6.22/fix-tcp-initial-sequence-number-selection.patch rename to review-2.6.22/fix-tcp-initial-sequence-number-selection.patch diff --git a/queue-2.6.22/fix-tcp-md5-on-big-endian.patch b/review-2.6.22/fix-tcp-md5-on-big-endian.patch similarity index 100% rename from queue-2.6.22/fix-tcp-md5-on-big-endian.patch rename to review-2.6.22/fix-tcp-md5-on-big-endian.patch diff --git a/queue-2.6.22/fix-tcp-s-fastpath_cnt_hit-handling.patch b/review-2.6.22/fix-tcp-s-fastpath_cnt_hit-handling.patch similarity index 100% rename from queue-2.6.22/fix-tcp-s-fastpath_cnt_hit-handling.patch rename to review-2.6.22/fix-tcp-s-fastpath_cnt_hit-handling.patch diff --git a/queue-2.6.22/fix-zero-length-socket-write-semantics.patch b/review-2.6.22/fix-zero-length-socket-write-semantics.patch similarity index 100% rename from queue-2.6.22/fix-zero-length-socket-write-semantics.patch rename to review-2.6.22/fix-zero-length-socket-write-semantics.patch diff --git a/queue-2.6.22/hwmon-lm87-disable-vid-when-it-should-be.patch b/review-2.6.22/hwmon-lm87-disable-vid-when-it-should-be.patch similarity index 100% rename from queue-2.6.22/hwmon-lm87-disable-vid-when-it-should-be.patch rename to review-2.6.22/hwmon-lm87-disable-vid-when-it-should-be.patch diff --git a/queue-2.6.22/hwmon-lm87-fix-a-division-by-zero.patch b/review-2.6.22/hwmon-lm87-fix-a-division-by-zero.patch similarity index 100% rename from queue-2.6.22/hwmon-lm87-fix-a-division-by-zero.patch rename to review-2.6.22/hwmon-lm87-fix-a-division-by-zero.patch diff --git a/queue-2.6.22/hwmon-w83627hf-don-t-assume-bank-0.patch b/review-2.6.22/hwmon-w83627hf-don-t-assume-bank-0.patch similarity index 100% rename from queue-2.6.22/hwmon-w83627hf-don-t-assume-bank-0.patch rename to review-2.6.22/hwmon-w83627hf-don-t-assume-bank-0.patch diff --git a/queue-2.6.22/hwmon-w83627hf-fix-setting-fan-min-right-after-driver-load.patch b/review-2.6.22/hwmon-w83627hf-fix-setting-fan-min-right-after-driver-load.patch similarity index 100% rename from queue-2.6.22/hwmon-w83627hf-fix-setting-fan-min-right-after-driver-load.patch rename to review-2.6.22/hwmon-w83627hf-fix-setting-fan-min-right-after-driver-load.patch diff --git a/queue-2.6.22/i915-fix-vbl-swap-allocation-size.patch b/review-2.6.22/i915-fix-vbl-swap-allocation-size.patch similarity index 100% rename from queue-2.6.22/i915-fix-vbl-swap-allocation-size.patch rename to review-2.6.22/i915-fix-vbl-swap-allocation-size.patch diff --git a/queue-2.6.22/libertas-fix-endianness-breakage.patch b/review-2.6.22/libertas-fix-endianness-breakage.patch similarity index 100% rename from queue-2.6.22/libertas-fix-endianness-breakage.patch rename to review-2.6.22/libertas-fix-endianness-breakage.patch diff --git a/queue-2.6.22/libertas-more-endianness-breakage.patch b/review-2.6.22/libertas-more-endianness-breakage.patch similarity index 100% rename from queue-2.6.22/libertas-more-endianness-breakage.patch rename to review-2.6.22/libertas-more-endianness-breakage.patch diff --git a/queue-2.6.22/mac80211-filter-locally-originated-multicast-frames.patch b/review-2.6.22/mac80211-filter-locally-originated-multicast-frames.patch similarity index 100% rename from queue-2.6.22/mac80211-filter-locally-originated-multicast-frames.patch rename to review-2.6.22/mac80211-filter-locally-originated-multicast-frames.patch diff --git a/review-2.6.22/mbox b/review-2.6.22/mbox new file mode 100644 index 00000000000..218d38a24e4 --- /dev/null +++ b/review-2.6.22/mbox @@ -0,0 +1,2401 @@ +From gregkh@mini.kroah.org Wed Oct 31 08:07:03 2007 +Message-Id: <20071031150703.715165465@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:36 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Gleixner , + Len Brown , + Venkatesh Pallipadi , + "Rafael J. Wysocki" +Subject: [patch 01/26] ACPI: disable lower idle C-states across suspend/resume +Content-Disposition: inline; filename=acpi-disable-lower-idle-c-states-across-suspend-resume.patch +Content-Length: 3545 +Lines: 103 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Thomas Gleixner + +changeset b04e7bdb984e3b7f62fb7f44146a529f88cc7639 from mainline. + +device_suspend() calls ACPI suspend functions, which seems to have undesired +side effects on lower idle C-states. It took me some time to realize that +especially the VAIO BIOSes (both Andrews jinxed UP and my elfstruck SMP one) +show this effect. I'm quite sure that other bug reports against suspend/resume +about turning the system into a brick have the same root cause. + +After fishing in the dark for quite some time, I realized that removing the ACPI +processor module before suspend (this removes the lower C-state functionality) +made the problem disappear. Interestingly enough the propability of having a +bricked box is influenced by various factors (interrupts, size of the ram image, +...). Even adding a bunch of printks in the wrong places made the problem go +away. The previous periodic tick implementation simply pampered over the +problem, which explains why the dyntick / clockevents changes made this more +prominent. + +We avoid complex functionality during the boot process and we have to do the +same during suspend/resume. It is a similar scenario and equaly fragile. + +Add suspend / resume functions to the ACPI processor code and disable the lower +idle C-states across suspend/resume. Fall back to the default idle +implementation (halt) instead. + +Signed-off-by: Thomas Gleixner +Tested-by: Andrew Morton +Cc: Len Brown +Cc: Venkatesh Pallipadi +Cc: Rafael J. Wysocki +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_core.c | 2 ++ + drivers/acpi/processor_idle.c | 19 ++++++++++++++++++- + include/acpi/processor.h | 2 ++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/processor_core.c ++++ b/drivers/acpi/processor_core.c +@@ -93,6 +93,8 @@ static struct acpi_driver acpi_processor + .add = acpi_processor_add, + .remove = acpi_processor_remove, + .start = acpi_processor_start, ++ .suspend = acpi_processor_suspend, ++ .resume = acpi_processor_resume, + }, + }; + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -324,6 +324,23 @@ static void acpi_state_timer_broadcast(s + + #endif + ++/* ++ * Suspend / resume control ++ */ ++static int acpi_idle_suspend; ++ ++int acpi_processor_suspend(struct acpi_device * device, pm_message_t state) ++{ ++ acpi_idle_suspend = 1; ++ return 0; ++} ++ ++int acpi_processor_resume(struct acpi_device * device) ++{ ++ acpi_idle_suspend = 0; ++ return 0; ++} ++ + static void acpi_processor_idle(void) + { + struct acpi_processor *pr = NULL; +@@ -354,7 +371,7 @@ static void acpi_processor_idle(void) + } + + cx = pr->power.state; +- if (!cx) { ++ if (!cx || acpi_idle_suspend) { + if (pm_idle_save) + pm_idle_save(); + else +--- a/include/acpi/processor.h ++++ b/include/acpi/processor.h +@@ -279,6 +279,8 @@ int acpi_processor_power_init(struct acp + int acpi_processor_cst_has_changed(struct acpi_processor *pr); + int acpi_processor_power_exit(struct acpi_processor *pr, + struct acpi_device *device); ++int acpi_processor_suspend(struct acpi_device * device, pm_message_t state); ++int acpi_processor_resume(struct acpi_device * device); + + /* in processor_thermal.c */ + int acpi_processor_get_limit_info(struct acpi_processor *pr); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:03 2007 +Message-Id: <20071031150703.850222449@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:37 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + "David S. Miller" , + James Bottomley +Subject: [patch 02/26] Fix ESP host instance numbering. +Content-Disposition: inline; filename=fix-esp-host-instance-numbering.patch +Content-Length: 1075 +Lines: 41 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David Miller + +changeset ff4abd6cfacf0bb23a077f615d3a5cd17359db1b in mainline. + +The ESP scsi driver does not initialize the host controller +instance early enough, so the messages in the log confuse +users. + +Signed-off-by: David S. Miller +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/esp_scsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/esp_scsi.c ++++ b/drivers/scsi/esp_scsi.c +@@ -2318,6 +2318,7 @@ int __devinit scsi_esp_register(struct e + esp->host->transportt = esp_transport_template; + esp->host->max_lun = ESP_MAX_LUN; + esp->host->cmd_per_lun = 2; ++ esp->host->unique_id = instance; + + esp_set_clock_params(esp); + +@@ -2341,7 +2342,7 @@ int __devinit scsi_esp_register(struct e + if (err) + return err; + +- esp->host->unique_id = instance++; ++ instance++; + + scsi_scan_host(esp->host); + + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150703.990470262@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:38 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + Stephen Hemminger , + "David S. Miller" +Subject: [patch 03/26] Fix cls_u32 error return handling. +Content-Disposition: inline; filename=fix-cls_u32-error-return-handling.patch +Content-Length: 821 +Lines: 29 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Stephen Hemminger + +changeset bf1b803b01b00c3801e0aa373ba0305f8278e260 from mainline. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_u32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -518,7 +518,7 @@ static int u32_set_parms(struct tcf_prot + + #ifdef CONFIG_NET_CLS_IND + if (tb[TCA_U32_INDEV-1]) { +- int err = tcf_change_indev(tp, n->indev, tb[TCA_U32_INDEV-1]); ++ err = tcf_change_indev(tp, n->indev, tb[TCA_U32_INDEV-1]); + if (err < 0) + goto errout; + } + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.148462892@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:39 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + "John W. Linville" , + "David S. Miller" +Subject: [patch 04/26] Fix ieee80211 handling of bogus hdrlength field +Content-Disposition: inline; filename=fix-ieee80211-handling-of-bogus-hdrlength-field.patch +Content-Length: 1740 +Lines: 58 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: John W. Linville + +changeset 04045f98e0457aba7d4e6736f37eed189c48a5f7 from mainline + +Reported by Chris Evans : + +> The summary is that an evil 80211 frame can crash out a victim's +> machine. It only applies to drivers using the 80211 wireless code, and +> only then to certain drivers (and even then depends on a card's +> firmware not dropping a dubious packet). I must confess I'm not +> keeping track of Linux wireless support, and the different protocol +> stacks etc. +> +> Details are as follows: +> +> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". +> There are other skb->len checks, but not enough to prevent a subtle +> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag +> set. +> +> This leads to integer underflow and crash here: +> +> if (frag != 0) +> flen -= hdrlen; +> +> (flen is subsequently used as a memcpy length parameter). + +How about this? + +Signed-off-by: John W. Linville +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ieee80211/ieee80211_rx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ieee80211/ieee80211_rx.c ++++ b/net/ieee80211/ieee80211_rx.c +@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device + frag = WLAN_GET_SEQ_FRAG(sc); + hdrlen = ieee80211_get_hdrlen(fc); + ++ if (skb->len < hdrlen) { ++ printk(KERN_INFO "%s: invalid SKB length %d\n", ++ dev->name, skb->len); ++ goto rx_dropped; ++ } ++ + /* Put this code here so that we avoid duplicating it in all + * Rx paths. - Jean II */ + #ifdef CONFIG_WIRELESS_EXT + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.272643921@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:40 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + Mitsuru Chinen , + YOSHIFUJI Hideaki , + "David S. Miller" +Subject: [patch 05/26] Fix some cases of missed IPV6 DAD +Content-Disposition: inline; filename=fix-some-cases-of-missed-ipv6-dad.patch +Content-Length: 2252 +Lines: 75 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Mitsuru Chinen + +changeset 0fcace22d38ce9216f5ba52f929a99d284aa7e49 from mainline + +To judge the timing for DAD, netif_carrier_ok() is used. However, +there is a possibility that dev->qdisc stays noop_qdisc even if +netif_carrier_ok() returns true. In that case, DAD NS is not sent out. +We need to defer the IPv6 device initialization until a valid qdisc +is specified. + +Signed-off-by: Mitsuru Chinen +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -73,6 +73,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -212,6 +213,12 @@ static struct ipv6_devconf ipv6_devconf_ + const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT; + const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT; + ++/* Check if a valid qdisc is available */ ++static inline int addrconf_qdisc_ok(struct net_device *dev) ++{ ++ return (dev->qdisc != &noop_qdisc); ++} ++ + static void addrconf_del_timer(struct inet6_ifaddr *ifp) + { + if (del_timer(&ifp->timer)) +@@ -376,7 +383,7 @@ static struct inet6_dev * ipv6_add_dev(s + } + #endif + +- if (netif_running(dev) && netif_carrier_ok(dev)) ++ if (netif_running(dev) && addrconf_qdisc_ok(dev)) + ndev->if_flags |= IF_READY; + + ipv6_mc_init_dev(ndev); +@@ -2269,7 +2276,7 @@ static int addrconf_notify(struct notifi + case NETDEV_UP: + case NETDEV_CHANGE: + if (event == NETDEV_UP) { +- if (!netif_carrier_ok(dev)) { ++ if (!addrconf_qdisc_ok(dev)) { + /* device is not ready yet. */ + printk(KERN_INFO + "ADDRCONF(NETDEV_UP): %s: " +@@ -2281,7 +2288,7 @@ static int addrconf_notify(struct notifi + if (idev) + idev->if_flags |= IF_READY; + } else { +- if (!netif_carrier_ok(dev)) { ++ if (!addrconf_qdisc_ok(dev)) { + /* device is still not ready. */ + break; + } + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.416792173@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:41 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + Brian Haley , + David L Stevens , + "David S. Miller" +Subject: [patch 06/26] Fix ipv6 redirect processing, leads to TAHI failures. +Content-Disposition: inline; filename=fix-ipv6-redirect-processing-leads-to-tahi-failures.patch +Content-Length: 2985 +Lines: 83 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Brian Haley + +changeset bf0b48dfc368c07c42b5a3a5658c8ee81b4283ac from mainline. + +When the ICMPv6 Target address is multicast, Linux processes the +redirect instead of dropping it. The problem is in this code in +ndisc_redirect_rcv(): + + if (ipv6_addr_equal(dest, target)) { + on_link = 1; + } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { + ND_PRINTK2(KERN_WARNING + "ICMPv6 Redirect: target address is not +link-local.\n"); + return; + } + +This second check will succeed if the Target address is, for example, +FF02::1 because it has link-local scope. Instead, it should be checking +if it's a unicast link-local address, as stated in RFC 2461/4861 Section +8.1: + + - The ICMP Target Address is either a link-local address (when + redirected to a router) or the same as the ICMP Destination + Address (when redirected to the on-link destination). + +I know this doesn't explicitly say unicast link-local address, but it's +implied. + +This bug is preventing Linux kernels from achieving IPv6 Logo Phase II +certification because of a recent error that was found in the TAHI test +suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the +multicast address in the Destination field instead of Target field, so +we were passing the test. This won't be the case anymore. + +The patch below fixes this problem, and also fixes ndisc_send_redirect() +to not send an invalid redirect with a multicast address in the Target +field. I re-ran the TAHI Neighbor Discovery section to make sure Linux +passes all 245 tests now. + +Signed-off-by: Brian Haley +Acked-by: David L Stevens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ndisc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1268,9 +1268,10 @@ static void ndisc_redirect_rcv(struct sk + + if (ipv6_addr_equal(dest, target)) { + on_link = 1; +- } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ++ } else if (ipv6_addr_type(target) != ++ (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) { + ND_PRINTK2(KERN_WARNING +- "ICMPv6 Redirect: target address is not link-local.\n"); ++ "ICMPv6 Redirect: target address is not link-local unicast.\n"); + return; + } + +@@ -1344,9 +1345,9 @@ void ndisc_send_redirect(struct sk_buff + } + + if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) && +- !(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ++ ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) { + ND_PRINTK2(KERN_WARNING +- "ICMPv6 Redirect: target address is not link-local.\n"); ++ "ICMPv6 Redirect: target address is not link-local unicast.\n"); + return; + } + + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.558061473@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:42 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + Alexey Dobriyan , + "David S. Miller" +Subject: [patch 07/26] Fix ROSE module unload oops. +Content-Disposition: inline; filename=fix-rose-module-unload-oops.patch +Content-Length: 4942 +Lines: 142 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Alexey Dobriyan + +changeset 891e6a931255238dddd08a7b306871240961a27f from mainline. + +Commit a3d384029aa304f8f3f5355d35f0ae274454f7cd aka +"[AX.25]: Fix unchecked rose_add_loopback_neigh uses" +transformed rose_loopback_neigh var into statically allocated one. +However, on unload it will be kfree's which can't work. + +Steps to reproduce: + + modprobe rose + rmmod rose + +BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008 + printing eip: +c014c664 +*pde = 00000000 +Oops: 0000 [#1] +PREEMPT DEBUG_PAGEALLOC +Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00210086 (2.6.23-rc9 #3) +EIP is at kfree+0x48/0xa1 +eax: 00000556 ebx: c1734aa0 ecx: f6a5e000 edx: f7082000 +esi: 00000000 edi: f9a55d20 ebp: 00200287 esp: f6a5ef28 +ds: 007b es: 007b fs: 0000 gs: 0033 ss: 0068 +Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000) +Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00 + 00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000 + f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000 +Call Trace: + [] rose_rt_free+0x1d/0x49 [rose] + [] rose_rt_free+0x1d/0x49 [rose] + [] rose_exit+0x4c/0xd5 [rose] + [] sys_delete_module+0x15e/0x186 + [] remove_vma+0x40/0x45 + [] sysenter_past_esp+0x8f/0x99 + [] trace_hardirqs_on+0x118/0x13b + [] sysenter_past_esp+0x5f/0x99 + ======================= +Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f +EIP: [] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28 + +Signed-off-by: Alexey Dobriyan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/rose.h | 2 +- + net/rose/rose_loopback.c | 4 ++-- + net/rose/rose_route.c | 15 ++++++++++----- + 3 files changed, 13 insertions(+), 8 deletions(-) + +--- a/include/net/rose.h ++++ b/include/net/rose.h +@@ -188,7 +188,7 @@ extern void rose_kick(struct sock *); + extern void rose_enquiry_response(struct sock *); + + /* rose_route.c */ +-extern struct rose_neigh rose_loopback_neigh; ++extern struct rose_neigh *rose_loopback_neigh; + extern const struct file_operations rose_neigh_fops; + extern const struct file_operations rose_nodes_fops; + extern const struct file_operations rose_routes_fops; +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -79,7 +79,7 @@ static void rose_loopback_timer(unsigned + + skb_reset_transport_header(skb); + +- sk = rose_find_socket(lci_o, &rose_loopback_neigh); ++ sk = rose_find_socket(lci_o, rose_loopback_neigh); + if (sk) { + if (rose_process_rx_frame(sk, skb) == 0) + kfree_skb(skb); +@@ -88,7 +88,7 @@ static void rose_loopback_timer(unsigned + + if (frametype == ROSE_CALL_REQUEST) { + if ((dev = rose_dev_get(dest)) != NULL) { +- if (rose_rx_call_request(skb, dev, &rose_loopback_neigh, lci_o) == 0) ++ if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0) + kfree_skb(skb); + } else { + kfree_skb(skb); +--- a/net/rose/rose_route.c ++++ b/net/rose/rose_route.c +@@ -45,7 +45,7 @@ static DEFINE_SPINLOCK(rose_neigh_list_l + static struct rose_route *rose_route_list; + static DEFINE_SPINLOCK(rose_route_list_lock); + +-struct rose_neigh rose_loopback_neigh; ++struct rose_neigh *rose_loopback_neigh; + + /* + * Add a new route to a node, and in the process add the node and the +@@ -362,7 +362,12 @@ out: + */ + void rose_add_loopback_neigh(void) + { +- struct rose_neigh *sn = &rose_loopback_neigh; ++ struct rose_neigh *sn; ++ ++ rose_loopback_neigh = kmalloc(sizeof(struct rose_neigh), GFP_KERNEL); ++ if (!rose_loopback_neigh) ++ return; ++ sn = rose_loopback_neigh; + + sn->callsign = null_ax25_address; + sn->digipeat = NULL; +@@ -417,13 +422,13 @@ int rose_add_loopback_node(rose_address + rose_node->mask = 10; + rose_node->count = 1; + rose_node->loopback = 1; +- rose_node->neighbour[0] = &rose_loopback_neigh; ++ rose_node->neighbour[0] = rose_loopback_neigh; + + /* Insert at the head of list. Address is always mask=10 */ + rose_node->next = rose_node_list; + rose_node_list = rose_node; + +- rose_loopback_neigh.count++; ++ rose_loopback_neigh->count++; + + out: + spin_unlock_bh(&rose_node_list_lock); +@@ -454,7 +459,7 @@ void rose_del_loopback_node(rose_address + + rose_remove_node(rose_node); + +- rose_loopback_neigh.count--; ++ rose_loopback_neigh->count--; + + out: + spin_unlock_bh(&rose_node_list_lock); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.698403647@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:43 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + "David S. Miller" +Subject: [patch 08/26] Fix zero length socket write() semantics. +Content-Disposition: inline; filename=fix-zero-length-socket-write-semantics.patch +Content-Length: 1368 +Lines: 48 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David S. Miller + +changeset e79ad711a0108475c1b3a03815527e7237020b08 from mainline. + +This fixes kernel bugzilla #5731 + +It should generate an empty packet for datagram protocols when the +socket is connected, for one. + +The check is doubly-wrong because all that a write() can be is a +sendmsg() call with a NULL msg_control and a single entry iovec. No +special semantics should be assigned to it, therefore the zero length +check should be removed entirely. + +This matches the behavior of BSD and several other systems. + +Alan Cox notes that SuSv3 says the behavior of a zero length write on +non-files is "unspecified", but that's kind of useless since BSD has +defined this behavior for a quarter century and BSD is essentially +what application folks code to. + +Based upon a patch from Stephen Hemminger. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -778,9 +778,6 @@ static ssize_t sock_aio_write(struct kio + if (pos != 0) + return -ESPIPE; + +- if (iocb->ki_left == 0) /* Match SYS5 behaviour */ +- return 0; +- + x = alloc_sock_iocb(iocb, &siocb); + if (!x) + return -ENOMEM; + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:04 2007 +Message-Id: <20071031150704.837593165@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:44 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + "David S. Miller" +Subject: [patch 09/26] Fix sys_ipc() SEMCTL on sparc64. +Content-Disposition: inline; filename=fix-sys_ipc-semctl-on-sparc64.patch +Content-Length: 1696 +Lines: 61 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David S. Miller + +changeset 6536a6b331d3225921c398eb7c6e4ecedb9b05e0 from mainline + +Thanks to Tom Callaway for the excellent bug report and +test case. + +sys_ipc() has several problems, most to due with semaphore +call handling: + +1) 'err' return should be a 'long' +2) "union semun" is passed in a register on 64-bit compared + to 32-bit which provides it on the stack and therefore + by reference +3) Second and third arguments to SEMCTL are swapped compared + to 32-bit. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/sys_sparc.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +--- a/arch/sparc64/kernel/sys_sparc.c ++++ b/arch/sparc64/kernel/sys_sparc.c +@@ -436,7 +436,7 @@ out: + asmlinkage long sys_ipc(unsigned int call, int first, unsigned long second, + unsigned long third, void __user *ptr, long fifth) + { +- int err; ++ long err; + + /* No need for backward compatibility. We can start fresh... */ + if (call <= SEMCTL) { +@@ -453,16 +453,9 @@ asmlinkage long sys_ipc(unsigned int cal + err = sys_semget(first, (int)second, (int)third); + goto out; + case SEMCTL: { +- union semun fourth; +- err = -EINVAL; +- if (!ptr) +- goto out; +- err = -EFAULT; +- if (get_user(fourth.__pad, +- (void __user * __user *) ptr)) +- goto out; +- err = sys_semctl(first, (int)second | IPC_64, +- (int)third, fourth); ++ err = sys_semctl(first, third, ++ (int)second | IPC_64, ++ (union semun) ptr); + goto out; + } + default: + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150704.977640034@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:45 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + =?ISO-8859-15?q?Ilpo=20J=E4rvinen?= , + "David S. Miller" +Subject: [patch 10/26] Fix TCPs ->fastpath_cnt_hit handling. +Content-Disposition: inline; filename=fix-tcp-s-fastpath_cnt_hit-handling.patch +Content-Length: 1570 +Lines: 45 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Ilpo Järvinen + +changeset 48611c47d09023d9356e78550d1cadb8d61da9c8 in mainline. + +When only GSO skb was partially ACKed, no hints are reset, +therefore fastpath_cnt_hint must be tweaked too or else it can +corrupt fackets_out. The corruption to occur, one must have +non-trivial ACK/SACK sequence, so this bug is not very often +that harmful. There's a fackets_out state reset in TCP because +fackets_out is known to be inaccurate and that fixes the issue +eventually anyway. + +In case there was also at least one skb that got fully ACKed, +the fastpath_skb_hint is set to NULL which causes a recount for +fastpath_cnt_hint (the old value won't be accessed anymore), +thus it can safely be decremented without additional checking. + +Reported by Cedric Le Goater + +Signed-off-by: Ilpo Järvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2403,6 +2403,9 @@ static int tcp_tso_acked(struct sock *sk + __u32 dval = min(tp->fackets_out, packets_acked); + tp->fackets_out -= dval; + } ++ /* hint's skb might be NULL but we don't need to care */ ++ tp->fastpath_cnt_hint -= min_t(u32, packets_acked, ++ tp->fastpath_cnt_hint); + tp->packets_out -= packets_acked; + + BUG_ON(tcp_skb_pcount(skb) == 0); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.117942047@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + "David S. Miller" +Subject: [patch 11/26] : Fix TCP MD5 on big-endian. +Content-Disposition: inline; filename=fix-tcp-md5-on-big-endian.patch +Content-Length: 5598 +Lines: 171 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David Miller + +changeset f8ab18d2d987a59ccbf0495032b2aef05b730037 in mainline. + +Based upon a report and initial patch by Peter Lieven. + +tcp4_md5sig_key and tcp6_md5sig_key need to start with +the exact same members as tcp_md5sig_key. Because they +are both cast to that type by tcp_v{4,6}_md5_do_lookup(). + +Unfortunately tcp{4,6}_md5sig_key use a u16 for the key +length instead of a u8, which is what tcp_md5sig_key +uses. This just so happens to work by accident on +little-endian, but on big-endian it doesn't. + +Instead of casting, just place tcp_md5sig_key as the first member of +the address-family specific structures, adjust the access sites, and +kill off the ugly casts. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 6 ++---- + net/ipv4/tcp_ipv4.c | 19 +++++++++---------- + net/ipv6/tcp_ipv6.c | 18 +++++++++--------- + 3 files changed, 20 insertions(+), 23 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1061,14 +1061,12 @@ struct tcp_md5sig_key { + }; + + struct tcp4_md5sig_key { +- u8 *key; +- u16 keylen; ++ struct tcp_md5sig_key base; + __be32 addr; + }; + + struct tcp6_md5sig_key { +- u8 *key; +- u16 keylen; ++ struct tcp_md5sig_key base; + #if 0 + u32 scope_id; /* XXX */ + #endif +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -833,8 +833,7 @@ static struct tcp_md5sig_key * + return NULL; + for (i = 0; i < tp->md5sig_info->entries4; i++) { + if (tp->md5sig_info->keys4[i].addr == addr) +- return (struct tcp_md5sig_key *) +- &tp->md5sig_info->keys4[i]; ++ return &tp->md5sig_info->keys4[i].base; + } + return NULL; + } +@@ -865,9 +864,9 @@ int tcp_v4_md5_do_add(struct sock *sk, _ + key = (struct tcp4_md5sig_key *)tcp_v4_md5_do_lookup(sk, addr); + if (key) { + /* Pre-existing entry - just update that one. */ +- kfree(key->key); +- key->key = newkey; +- key->keylen = newkeylen; ++ kfree(key->base.key); ++ key->base.key = newkey; ++ key->base.keylen = newkeylen; + } else { + struct tcp_md5sig_info *md5sig; + +@@ -906,9 +905,9 @@ int tcp_v4_md5_do_add(struct sock *sk, _ + md5sig->alloced4++; + } + md5sig->entries4++; +- md5sig->keys4[md5sig->entries4 - 1].addr = addr; +- md5sig->keys4[md5sig->entries4 - 1].key = newkey; +- md5sig->keys4[md5sig->entries4 - 1].keylen = newkeylen; ++ md5sig->keys4[md5sig->entries4 - 1].addr = addr; ++ md5sig->keys4[md5sig->entries4 - 1].base.key = newkey; ++ md5sig->keys4[md5sig->entries4 - 1].base.keylen = newkeylen; + } + return 0; + } +@@ -930,7 +929,7 @@ int tcp_v4_md5_do_del(struct sock *sk, _ + for (i = 0; i < tp->md5sig_info->entries4; i++) { + if (tp->md5sig_info->keys4[i].addr == addr) { + /* Free the key */ +- kfree(tp->md5sig_info->keys4[i].key); ++ kfree(tp->md5sig_info->keys4[i].base.key); + tp->md5sig_info->entries4--; + + if (tp->md5sig_info->entries4 == 0) { +@@ -964,7 +963,7 @@ static void tcp_v4_clear_md5_list(struct + if (tp->md5sig_info->entries4) { + int i; + for (i = 0; i < tp->md5sig_info->entries4; i++) +- kfree(tp->md5sig_info->keys4[i].key); ++ kfree(tp->md5sig_info->keys4[i].base.key); + tp->md5sig_info->entries4 = 0; + tcp_free_md5sig_pool(); + } +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -551,7 +551,7 @@ static struct tcp_md5sig_key *tcp_v6_md5 + + for (i = 0; i < tp->md5sig_info->entries6; i++) { + if (ipv6_addr_cmp(&tp->md5sig_info->keys6[i].addr, addr) == 0) +- return (struct tcp_md5sig_key *)&tp->md5sig_info->keys6[i]; ++ return &tp->md5sig_info->keys6[i].base; + } + return NULL; + } +@@ -579,9 +579,9 @@ static int tcp_v6_md5_do_add(struct sock + key = (struct tcp6_md5sig_key*) tcp_v6_md5_do_lookup(sk, peer); + if (key) { + /* modify existing entry - just update that one */ +- kfree(key->key); +- key->key = newkey; +- key->keylen = newkeylen; ++ kfree(key->base.key); ++ key->base.key = newkey; ++ key->base.keylen = newkeylen; + } else { + /* reallocate new list if current one is full. */ + if (!tp->md5sig_info) { +@@ -615,8 +615,8 @@ static int tcp_v6_md5_do_add(struct sock + + ipv6_addr_copy(&tp->md5sig_info->keys6[tp->md5sig_info->entries6].addr, + peer); +- tp->md5sig_info->keys6[tp->md5sig_info->entries6].key = newkey; +- tp->md5sig_info->keys6[tp->md5sig_info->entries6].keylen = newkeylen; ++ tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.key = newkey; ++ tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.keylen = newkeylen; + + tp->md5sig_info->entries6++; + } +@@ -638,7 +638,7 @@ static int tcp_v6_md5_do_del(struct sock + for (i = 0; i < tp->md5sig_info->entries6; i++) { + if (ipv6_addr_cmp(&tp->md5sig_info->keys6[i].addr, peer) == 0) { + /* Free the key */ +- kfree(tp->md5sig_info->keys6[i].key); ++ kfree(tp->md5sig_info->keys6[i].base.key); + tp->md5sig_info->entries6--; + + if (tp->md5sig_info->entries6 == 0) { +@@ -669,7 +669,7 @@ static void tcp_v6_clear_md5_list (struc + + if (tp->md5sig_info->entries6) { + for (i = 0; i < tp->md5sig_info->entries6; i++) +- kfree(tp->md5sig_info->keys6[i].key); ++ kfree(tp->md5sig_info->keys6[i].base.key); + tp->md5sig_info->entries6 = 0; + tcp_free_md5sig_pool(); + } +@@ -680,7 +680,7 @@ static void tcp_v6_clear_md5_list (struc + + if (tp->md5sig_info->entries4) { + for (i = 0; i < tp->md5sig_info->entries4; i++) +- kfree(tp->md5sig_info->keys4[i].key); ++ kfree(tp->md5sig_info->keys4[i].base.key); + tp->md5sig_info->entries4 = 0; + tcp_free_md5sig_pool(); + } + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.261049534@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@kernel.org, + Eric Dumazet , + "David S. Miller" +Subject: [patch 12/26] : Fix TCP initial sequence number selection. +Content-Disposition: inline; filename=fix-tcp-initial-sequence-number-selection.patch +Content-Length: 1831 +Lines: 50 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Eric Dumazet + +changeset 162f6690a65075b49f242d3c8cdb5caaa959a060 in mainline. + +TCP V4 sequence numbers are 32bits, and RFC 793 assumed a 250 KHz clock. +In order to follow network speed increase, we can use a faster clock, but +we should limit this clock so that the delay between two rollovers is +greater than MSL (TCP Maximum Segment Lifetime : 2 minutes) + +Choosing a 64 nsec clock should be OK, since the rollovers occur every +274 seconds. + +Problem spotted by Denys Fedoryshchenko + +[ This bug was introduced by f85958151900f9d30fa5ff941b0ce71eaa45a7de ] + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1550,11 +1550,13 @@ __u32 secure_tcp_sequence_number(__be32 + * As close as possible to RFC 793, which + * suggests using a 250 kHz clock. + * Further reading shows this assumes 2 Mb/s networks. +- * For 10 Gb/s Ethernet, a 1 GHz clock is appropriate. +- * That's funny, Linux has one built in! Use it! +- * (Networks are faster now - should this be increased?) ++ * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate. ++ * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but ++ * we also need to limit the resolution so that the u32 seq ++ * overlaps less than one time per MSL (2 minutes). ++ * Choosing a clock of 64 ns period is OK. (period of 274 s) + */ +- seq += ktime_get_real().tv64; ++ seq += ktime_get_real().tv64 >> 6; + #if 0 + printk("init_seq(%lx, %lx, %d, %d) = %d\n", + saddr, daddr, sport, dport, seq); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.404388699@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "John W. Linville" , + Johannes Berg , + Michael Wu , + "David S. Miller" +Subject: [patch 13/26] mac80211: filter locally-originated multicast frames +Content-Disposition: inline; filename=mac80211-filter-locally-originated-multicast-frames.patch +Content-Length: 1216 +Lines: 42 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: John W. Linville + +patch b331615722779b078822988843ddffd4eaec9f83 in mainline. + +In STA mode, the AP will echo our traffic. This includes multicast +traffic. + +Receiving these frames confuses some protocols and applications, +notably IPv6 Duplicate Address Detection. + +Signed-off-by: John W. Linville +Signed-off-by: Johannes Berg +Acked-by: Michael Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ieee80211.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/ieee80211.c ++++ b/net/mac80211/ieee80211.c +@@ -2615,9 +2615,10 @@ ieee80211_rx_h_data(struct ieee80211_txr + memcpy(dst, hdr->addr1, ETH_ALEN); + memcpy(src, hdr->addr3, ETH_ALEN); + +- if (sdata->type != IEEE80211_IF_TYPE_STA) { ++ if (sdata->type != IEEE80211_IF_TYPE_STA || ++ (is_multicast_ether_addr(dst) && ++ !compare_ether_addr(src, dev->dev_addr))) + return TXRX_DROP; +- } + break; + case 0: + /* DA SA BSSID */ + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.554811151@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro , + "John W. Linville" , + Al Viro , + Dan Williams +Subject: [patch 14/26] libertas: fix endianness breakage +Content-Disposition: inline; filename=libertas-fix-endianness-breakage.patch +Content-Length: 1093 +Lines: 40 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Al Viro + +patch 5707708111ca6c4e9a1160acffdc98a98d95e462 in mainline. + + wep->keytype[] is u8 + +Signed-off-by: Al Viro +Signed-off-by: Dan Williams +Signed-off-by: John W. Linville + +--- + drivers/net/wireless/libertas/cmd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/libertas/cmd.c ++++ b/drivers/net/wireless/libertas/cmd.c +@@ -185,14 +185,12 @@ static int wlan_cmd_802_11_set_wep(wlan_ + + switch (pkey->len) { + case KEY_LEN_WEP_40: +- wep->keytype[i] = +- cpu_to_le16(cmd_type_wep_40_bit); ++ wep->keytype[i] = cmd_type_wep_40_bit; + memmove(&wep->keymaterial[i], pkey->key, + pkey->len); + break; + case KEY_LEN_WEP_104: +- wep->keytype[i] = +- cpu_to_le16(cmd_type_wep_104_bit); ++ wep->keytype[i] = cmd_type_wep_104_bit; + memmove(&wep->keymaterial[i], pkey->key, + pkey->len); + break; + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.688988923@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro , + "John W. Linville" , + Al Viro , + Dan Williams +Subject: [patch 15/26] libertas: more endianness breakage +Content-Disposition: inline; filename=libertas-more-endianness-breakage.patch +Content-Length: 2325 +Lines: 62 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Al Viro + +based on patch 8362cd413e8116306fafbaf414f0419db0595142 in mainline. + + domain->header.len is le16 and has just been assigned +cpu_to_le16(arithmetical expression). And all fields of adapter->logmsg +are __le32; not a single 16-bit among them... + That's incremental to the previous one + +Signed-off-by: Al Viro +Signed-off-by: Dan Williams +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/11d.c | 2 +- + drivers/net/wireless/libertas/wext.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/libertas/11d.c ++++ b/drivers/net/wireless/libertas/11d.c +@@ -562,7 +562,7 @@ int libertas_cmd_802_11d_domain_info(wla + nr_subband * sizeof(struct ieeetypes_subbandset)); + + cmd->size = cpu_to_le16(sizeof(pdomaininfo->action) + +- domain->header.len + ++ le16_to_cpu(domain->header.len) + + sizeof(struct mrvlietypesheader) + + S_DS_GEN); + } else { +--- a/drivers/net/wireless/libertas/wext.c ++++ b/drivers/net/wireless/libertas/wext.c +@@ -973,7 +973,7 @@ static struct iw_statistics *wlan_get_wi + /* Quality by TX errors */ + priv->wstats.discard.retries = priv->stats.tx_errors; + +- tx_retries = le16_to_cpu(adapter->logmsg.retry); ++ tx_retries = le32_to_cpu(adapter->logmsg.retry); + + if (tx_retries > 75) + tx_qual = (90 - tx_retries) * POOR / 15; +@@ -989,10 +989,10 @@ static struct iw_statistics *wlan_get_wi + (PERFECT - VERY_GOOD) / 50 + VERY_GOOD; + quality = min(quality, tx_qual); + +- priv->wstats.discard.code = le16_to_cpu(adapter->logmsg.wepundecryptable); +- priv->wstats.discard.fragment = le16_to_cpu(adapter->logmsg.rxfrag); ++ priv->wstats.discard.code = le32_to_cpu(adapter->logmsg.wepundecryptable); ++ priv->wstats.discard.fragment = le32_to_cpu(adapter->logmsg.rxfrag); + priv->wstats.discard.retries = tx_retries; +- priv->wstats.discard.misc = le16_to_cpu(adapter->logmsg.ackfailure); ++ priv->wstats.discard.misc = le32_to_cpu(adapter->logmsg.ackfailure); + + /* Calculate quality */ + priv->wstats.qual.qual = max(quality, (u32)100); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:05 2007 +Message-Id: <20071031150705.829143423@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + warmcat , + "John W. Linville" +Subject: [patch 16/26] Add get_unaligned to ieee80211_get_radiotap_len +Content-Disposition: inline; filename=add-get_unaligned-to-ieee80211_get_radiotap_len.patch +Content-Length: 1137 +Lines: 42 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Andy Green + +patch dfe6e81deaa79c85086c0cc8d85b229e444ab97f in mainline. + +ieee80211_get_radiotap_len() tries to dereference radiotap length without +taking care that it is completely unaligned and get_unaligned() +is required. + +Signed-off-by: Andy Green +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ieee80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/ieee80211.c ++++ b/net/mac80211/ieee80211.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include "ieee80211_common.h" + #include "ieee80211_i.h" +@@ -338,7 +339,7 @@ static int ieee80211_get_radiotap_len(st + struct ieee80211_radiotap_header *hdr = + (struct ieee80211_radiotap_header *) skb->data; + +- return le16_to_cpu(hdr->it_len); ++ return le16_to_cpu(get_unaligned(&hdr->it_len)); + } + + #ifdef CONFIG_MAC80211_LOWTX_FRAME_DUMP + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150705.968582288@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stefan Richter +Subject: [patch 17/26] firewire: fix unloading of fw-ohci while devices are attached +Content-Disposition: inline; filename=firewire-fix-unloading-of-fw-ohci-while-devices-are-attached.patch +Content-Length: 925 +Lines: 36 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Stefan Richter + +Fix panic in run_timer_softirq right after "modprobe -r firewire-ohci" +if a FireWire disk was attached and firewire-sbp2 loaded. + +Same as commit 8a2d9ed3210464d22fccb9834970629c1c36fa36. + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/fw-card.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/firewire/fw-card.c ++++ b/drivers/firewire/fw-card.c +@@ -507,9 +507,11 @@ fw_core_remove_card(struct fw_card *card + /* Set up the dummy driver. */ + card->driver = &dummy_driver; + +- fw_flush_transactions(card); +- + fw_destroy_nodes(card); ++ flush_scheduled_work(); ++ ++ fw_flush_transactions(card); ++ del_timer_sync(&card->flush_timer); + + fw_card_put(card); + } + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.110276806@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Garzik , + Karsten Keil +Subject: [patch 18/26] netdrvr: natsemi: Fix device removal bug +Content-Disposition: inline; filename=netdrvr-natsemi-fix-device-removal-bug.patch +Content-Length: 1266 +Lines: 38 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +This episode illustrates how an overused warning can train people to +ignore that warning, which winds up hiding bugs. + +The warning + +drivers/net/natsemi.c: In function ‘natsemi_remove1’: +drivers/net/natsemi.c:3222: warning: ignoring return value of +‘device_create_file’, declared with attribute warn_unused_result + +is oft-ignored, even though at close inspection one notices this occurs +in the /remove/ function, not normally where creation occurs. A quick +s/create/remove/ and we are fixed, with the warning gone. + +Signed-off-by: Jeff Garzik +Cc: Karsten Keil +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/natsemi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/natsemi.c ++++ b/drivers/net/natsemi.c +@@ -671,7 +671,7 @@ static ssize_t natsemi_show_##_name(stru + #define NATSEMI_CREATE_FILE(_dev, _name) \ + device_create_file(&_dev->dev, &dev_attr_##_name) + #define NATSEMI_REMOVE_FILE(_dev, _name) \ +- device_create_file(&_dev->dev, &dev_attr_##_name) ++ device_remove_file(&_dev->dev, &dev_attr_##_name) + + NATSEMI_ATTR(dspcfg_workaround); + + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.250252712@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + jeff@garzik.org, + Peter Korsgaard +Subject: [patch 19/26] dm9601: Fix receive MTU +Content-Disposition: inline; filename=dm9601-fix-receive-mtu.patch +Content-Length: 1054 +Lines: 34 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Peter Korsgaard + +patch f662fe5a0b144efadbfc00e8040e603ec318746e in mainline. + +dm9601: Fix receive MTU + +dm9601 didn't take the ethernet header into account when calculating +RX MTU, causing packets bigger than 1486 to fail. + +Signed-off-by: Peter Korsgaard +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/dm9601.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -405,7 +405,7 @@ static int dm9601_bind(struct usbnet *de + dev->net->ethtool_ops = &dm9601_ethtool_ops; + dev->net->hard_header_len += DM_TX_OVERHEAD; + dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len; +- dev->rx_urb_size = dev->net->mtu + DM_RX_OVERHEAD; ++ dev->rx_urb_size = dev->net->mtu + ETH_HLEN + DM_RX_OVERHEAD; + + dev->mii.dev = dev->net; + dev->mii.mdio_read = dm9601_mdio_read; + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.389928073@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Hans Verkuil , + v4l-dvb maintainer list , + Ian Armstrong , + Mauro Carvalho Chehab , + Ian Armstrong +Subject: [patch 20/26] V4L: ivtv: fix udma yuv bug +Content-Disposition: inline; filename=v4l-ivtv-fix-udma-yuv-bug.patch +Content-Length: 1302 +Lines: 39 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Ian Armstrong + +Based on cb50f548c0ee9b2aac39743fc4021a7188825a98 in mainline + +[PATCH] V4L: ivtv: fix udma yuv bug + +Using udma yuv causes the driver to become locked into that mode. This +prevents use of the mpeg decoder & non-udma yuv output. + +This patch clears the operating mode when the device is closed. + +Signed-off-by: Ian Armstrong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-fileops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/video/ivtv/ivtv-fileops.c ++++ b/drivers/media/video/ivtv/ivtv-fileops.c +@@ -753,6 +753,8 @@ static void ivtv_stop_decoding(struct iv + } + if (s->type == IVTV_DEC_STREAM_TYPE_YUV && itv->output_mode == OUT_YUV) + itv->output_mode = OUT_NONE; ++ else if (s->type == IVTV_DEC_STREAM_TYPE_YUV && itv->output_mode == OUT_UDMA_YUV) ++ itv->output_mode = OUT_NONE; + else if (s->type == IVTV_DEC_STREAM_TYPE_MPG && itv->output_mode == OUT_MPG) + itv->output_mode = OUT_NONE; + + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.533078725@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Mark M. Hoffman" , + Jean Delvare , + Hans de Goede +Subject: [patch 21/26] hwmon/lm87: Fix a division by zero +Content-Disposition: inline; filename=hwmon-lm87-fix-a-division-by-zero.patch +Content-Length: 1148 +Lines: 34 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jean Delvare + +Already in Linus' tree: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b965d4b7f614522170af6a7e450be0333792ccd2 + +Missing parentheses in the definition of FAN_FROM_REG cause a +division by zero for a specific register value. + +Signed-off-by: Jean Delvare +Acked-by: Hans de Goede +Signed-off-by: Mark M. Hoffman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm87.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm87.c ++++ b/drivers/hwmon/lm87.c +@@ -129,7 +129,7 @@ static u8 LM87_REG_TEMP_LOW[3] = { 0x3A, + (((val) < 0 ? (val)-500 : (val)+500) / 1000)) + + #define FAN_FROM_REG(reg,div) ((reg) == 255 || (reg) == 0 ? 0 : \ +- 1350000 + (reg)*(div) / 2) / ((reg)*(div)) ++ (1350000 + (reg)*(div) / 2) / ((reg)*(div))) + #define FAN_TO_REG(val,div) ((val)*(div) * 255 <= 1350000 ? 255 : \ + (1350000 + (val)*(div) / 2) / ((val)*(div))) + + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.680348781@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Mark M. Hoffman" , + Jean Delvare +Subject: [patch 22/26] hwmon/lm87: Disable VID when it should be +Content-Disposition: inline; filename=hwmon-lm87-disable-vid-when-it-should-be.patch +Content-Length: 972 +Lines: 33 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jean Delvare + +Already in Linus' tree: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=889af3d5d9586db795a06c619e416b4baee11da8 + +A stupid bit shifting bug caused the VID value to be always exported +even when the hardware is configured for something different. + +Signed-off-by: Jean Delvare +Signed-off-by: Mark M. Hoffman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm87.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm87.c ++++ b/drivers/hwmon/lm87.c +@@ -145,7 +145,7 @@ static u8 LM87_REG_TEMP_LOW[3] = { 0x3A, + #define CHAN_NO_FAN(nr) (1 << (nr)) + #define CHAN_TEMP3 (1 << 2) + #define CHAN_VCC_5V (1 << 3) +-#define CHAN_NO_VID (1 << 8) ++#define CHAN_NO_VID (1 << 7) + + /* + * Functions declaration + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:06 2007 +Message-Id: <20071031150706.816716551@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Mark M. Hoffman" , + Jean Delvare +Subject: [patch 23/26] hwmon/w83627hf: Fix setting fan min right after driver load +Content-Disposition: inline; filename=hwmon-w83627hf-fix-setting-fan-min-right-after-driver-load.patch +Content-Length: 3240 +Lines: 88 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jean Delvare + +Already in Linus' tree: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c09c5184a26158da32801e89d5849d774605f0dd + +We need to read the fan clock dividers at initialization time, +otherwise the code in store_fan_min() may use uninitialized values. +That's pretty much the same bug and same fix as for the w83627ehf +driver last month. + +Signed-off-by: Jean Delvare +Signed-off-by: Mark M. Hoffman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/w83627hf.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/drivers/hwmon/w83627hf.c ++++ b/drivers/hwmon/w83627hf.c +@@ -335,6 +335,7 @@ static int w83627hf_remove(struct platfo + + static int w83627hf_read_value(struct w83627hf_data *data, u16 reg); + static int w83627hf_write_value(struct w83627hf_data *data, u16 reg, u16 value); ++static void w83627hf_update_fan_div(struct w83627hf_data *data); + static struct w83627hf_data *w83627hf_update_device(struct device *dev); + static void w83627hf_init_device(struct platform_device *pdev); + +@@ -1127,6 +1128,7 @@ static int __devinit w83627hf_probe(stru + data->fan_min[0] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(1)); + data->fan_min[1] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(2)); + data->fan_min[2] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(3)); ++ w83627hf_update_fan_div(data); + + /* Register common device attributes */ + if ((err = sysfs_create_group(&dev->kobj, &w83627hf_group))) +@@ -1430,6 +1432,24 @@ static void __devinit w83627hf_init_devi + | 0x01); + } + ++static void w83627hf_update_fan_div(struct w83627hf_data *data) ++{ ++ int reg; ++ ++ reg = w83627hf_read_value(data, W83781D_REG_VID_FANDIV); ++ data->fan_div[0] = (reg >> 4) & 0x03; ++ data->fan_div[1] = (reg >> 6) & 0x03; ++ if (data->type != w83697hf) { ++ data->fan_div[2] = (w83627hf_read_value(data, ++ W83781D_REG_PIN) >> 6) & 0x03; ++ } ++ reg = w83627hf_read_value(data, W83781D_REG_VBAT); ++ data->fan_div[0] |= (reg >> 3) & 0x04; ++ data->fan_div[1] |= (reg >> 4) & 0x04; ++ if (data->type != w83697hf) ++ data->fan_div[2] |= (reg >> 5) & 0x04; ++} ++ + static struct w83627hf_data *w83627hf_update_device(struct device *dev) + { + struct w83627hf_data *data = dev_get_drvdata(dev); +@@ -1493,18 +1513,8 @@ static struct w83627hf_data *w83627hf_up + w83627hf_read_value(data, W83781D_REG_TEMP_HYST(3)); + } + +- i = w83627hf_read_value(data, W83781D_REG_VID_FANDIV); +- data->fan_div[0] = (i >> 4) & 0x03; +- data->fan_div[1] = (i >> 6) & 0x03; +- if (data->type != w83697hf) { +- data->fan_div[2] = (w83627hf_read_value(data, +- W83781D_REG_PIN) >> 6) & 0x03; +- } +- i = w83627hf_read_value(data, W83781D_REG_VBAT); +- data->fan_div[0] |= (i >> 3) & 0x04; +- data->fan_div[1] |= (i >> 4) & 0x04; +- if (data->type != w83697hf) +- data->fan_div[2] |= (i >> 5) & 0x04; ++ w83627hf_update_fan_div(data); ++ + data->alarms = + w83627hf_read_value(data, W83781D_REG_ALARM1) | + (w83627hf_read_value(data, W83781D_REG_ALARM2) << 8) | + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:07 2007 +Message-Id: <20071031150706.957170756@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Mark M. Hoffman" , + Jean Delvare +Subject: [patch 24/26] hwmon/w83627hf: Dont assume bank 0 +Content-Disposition: inline; filename=hwmon-w83627hf-don-t-assume-bank-0.patch +Content-Length: 3729 +Lines: 111 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jean Delvare + +Already in Linus' tree: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d58df9cd788e6fb4962e1c8d5ba7b8b95d639a44 + +The bank switching code assumes that the bank selector is set to 0 +when the driver is loaded. This might not be the case. This is exactly +the same bug as was fixed in the w83627ehf driver two months ago: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0956895aa6f8dc6a33210967252fd7787652537d + +In practice, this bug was causing the sensor thermal types to be +improperly reported for my W83627THF the first time I was loading the +w83627hf driver. From the driver history, I'd say that it has been +broken since September 2005 (when we stopped resetting the chip by +default at driver load.) + +Signed-off-by: Jean Delvare +Signed-off-by: Mark M. Hoffman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/w83627hf.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +--- a/drivers/hwmon/w83627hf.c ++++ b/drivers/hwmon/w83627hf.c +@@ -1209,6 +1209,24 @@ static int __devexit w83627hf_remove(str + } + + ++/* Registers 0x50-0x5f are banked */ ++static inline void w83627hf_set_bank(struct w83627hf_data *data, u16 reg) ++{ ++ if ((reg & 0x00f0) == 0x50) { ++ outb_p(W83781D_REG_BANK, data->addr + W83781D_ADDR_REG_OFFSET); ++ outb_p(reg >> 8, data->addr + W83781D_DATA_REG_OFFSET); ++ } ++} ++ ++/* Not strictly necessary, but play it safe for now */ ++static inline void w83627hf_reset_bank(struct w83627hf_data *data, u16 reg) ++{ ++ if (reg & 0xff00) { ++ outb_p(W83781D_REG_BANK, data->addr + W83781D_ADDR_REG_OFFSET); ++ outb_p(0, data->addr + W83781D_DATA_REG_OFFSET); ++ } ++} ++ + static int w83627hf_read_value(struct w83627hf_data *data, u16 reg) + { + int res, word_sized; +@@ -1219,12 +1237,7 @@ static int w83627hf_read_value(struct w8 + && (((reg & 0x00ff) == 0x50) + || ((reg & 0x00ff) == 0x53) + || ((reg & 0x00ff) == 0x55)); +- if (reg & 0xff00) { +- outb_p(W83781D_REG_BANK, +- data->addr + W83781D_ADDR_REG_OFFSET); +- outb_p(reg >> 8, +- data->addr + W83781D_DATA_REG_OFFSET); +- } ++ w83627hf_set_bank(data, reg); + outb_p(reg & 0xff, data->addr + W83781D_ADDR_REG_OFFSET); + res = inb_p(data->addr + W83781D_DATA_REG_OFFSET); + if (word_sized) { +@@ -1234,11 +1247,7 @@ static int w83627hf_read_value(struct w8 + (res << 8) + inb_p(data->addr + + W83781D_DATA_REG_OFFSET); + } +- if (reg & 0xff00) { +- outb_p(W83781D_REG_BANK, +- data->addr + W83781D_ADDR_REG_OFFSET); +- outb_p(0, data->addr + W83781D_DATA_REG_OFFSET); +- } ++ w83627hf_reset_bank(data, reg); + mutex_unlock(&data->lock); + return res; + } +@@ -1309,12 +1318,7 @@ static int w83627hf_write_value(struct w + || ((reg & 0xff00) == 0x200)) + && (((reg & 0x00ff) == 0x53) + || ((reg & 0x00ff) == 0x55)); +- if (reg & 0xff00) { +- outb_p(W83781D_REG_BANK, +- data->addr + W83781D_ADDR_REG_OFFSET); +- outb_p(reg >> 8, +- data->addr + W83781D_DATA_REG_OFFSET); +- } ++ w83627hf_set_bank(data, reg); + outb_p(reg & 0xff, data->addr + W83781D_ADDR_REG_OFFSET); + if (word_sized) { + outb_p(value >> 8, +@@ -1324,11 +1328,7 @@ static int w83627hf_write_value(struct w + } + outb_p(value & 0xff, + data->addr + W83781D_DATA_REG_OFFSET); +- if (reg & 0xff00) { +- outb_p(W83781D_REG_BANK, +- data->addr + W83781D_ADDR_REG_OFFSET); +- outb_p(0, data->addr + W83781D_DATA_REG_OFFSET); +- } ++ w83627hf_reset_bank(data, reg); + mutex_unlock(&data->lock); + return 0; + } + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:07 2007 +Message-Id: <20071031150707.100836797@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:06:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dave Airlie +Subject: [patch 25/26] i915: fix vbl swap allocation size. +Content-Disposition: inline; filename=i915-fix-vbl-swap-allocation-size.patch +Content-Length: 764 +Lines: 30 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Dave Airlie + +This is upstream as 54583bf4efda79388fc13163e35c016c8bc5de81 + +Oops... + +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/drm/i915_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/drm/i915_irq.c ++++ b/drivers/char/drm/i915_irq.c +@@ -541,7 +541,7 @@ int i915_vblank_swap(DRM_IOCTL_ARGS) + return DRM_ERR(EBUSY); + } + +- vbl_swap = drm_calloc(1, sizeof(vbl_swap), DRM_MEM_DRIVER); ++ vbl_swap = drm_calloc(1, sizeof(*vbl_swap), DRM_MEM_DRIVER); + + if (!vbl_swap) { + DRM_ERROR("Failed to allocate memory to queue swap\n"); + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:07 2007 +Message-Id: <20071031150707.241768325@mini.kroah.org> +References: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:06:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Kumar Gala +Subject: [patch 26/26] POWERPC: Fix handling of stfiwx math emulation +Content-Disposition: inline; filename=powerpc-fix-handling-of-stfiwx-math-emulation.patch +Content-Length: 1258 +Lines: 47 + +2.6.22-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Kumar Gala + +patch ba02946a903015840ef672ccc9dc8620a7e83de6 in mainline + +Its legal for the stfiwx instruction to have RA = 0 as part of its +effective address calculation. This is illegal for all other XE +form instructions. + +Add code to compute the proper effective address for stfiwx if +RA = 0 rather than treating it as illegal. + +Signed-off-by: Kumar Gala +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/math-emu/math.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/math-emu/math.c ++++ b/arch/powerpc/math-emu/math.c +@@ -407,11 +407,16 @@ do_mathemu(struct pt_regs *regs) + + case XE: + idx = (insn >> 16) & 0x1f; +- if (!idx) +- goto illegal; +- + op0 = (void *)¤t->thread.fpr[(insn >> 21) & 0x1f]; +- op1 = (void *)(regs->gpr[idx] + regs->gpr[(insn >> 11) & 0x1f]); ++ if (!idx) { ++ if (((insn >> 1) & 0x3ff) == STFIWX) ++ op1 = (void *)(regs->gpr[(insn >> 11) & 0x1f]); ++ else ++ goto illegal; ++ } else { ++ op1 = (void *)(regs->gpr[idx] + regs->gpr[(insn >> 11) & 0x1f]); ++ } ++ + break; + + case XEU: + +-- + +From gregkh@mini.kroah.org Wed Oct 31 08:07:03 2007 +Message-Id: <20071031150535.967437651@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Wed, 31 Oct 2007 08:05:35 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/26] 2.6.22-stable review +Content-Length: 885 +Lines: 21 + +This is the start of the stable review cycle for the 2.6.22.11 release. +There are 26 patches in this series, all will be posted as a response +to this one. If anyone has any issues with these being applied, please +let us know. If anyone is a maintainer of the proper subsystem, and +wants to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the +Cc: line. If you wish to be a reviewer, please email stable@kernel.org +to add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Nov 2, 2007 16:00:00 UTC. Anything received +after that time might be too late. + +This is probably going to be the last 2.6.22-stable release, unless I +have missed some major issues somewhere. If I have, please let the +stable team know. + +thanks, + +the -stable release team + diff --git a/queue-2.6.22/netdrvr-natsemi-fix-device-removal-bug.patch b/review-2.6.22/netdrvr-natsemi-fix-device-removal-bug.patch similarity index 100% rename from queue-2.6.22/netdrvr-natsemi-fix-device-removal-bug.patch rename to review-2.6.22/netdrvr-natsemi-fix-device-removal-bug.patch diff --git a/queue-2.6.22/powerpc-fix-handling-of-stfiwx-math-emulation.patch b/review-2.6.22/powerpc-fix-handling-of-stfiwx-math-emulation.patch similarity index 100% rename from queue-2.6.22/powerpc-fix-handling-of-stfiwx-math-emulation.patch rename to review-2.6.22/powerpc-fix-handling-of-stfiwx-math-emulation.patch diff --git a/queue-2.6.22/series b/review-2.6.22/series similarity index 100% rename from queue-2.6.22/series rename to review-2.6.22/series diff --git a/queue-2.6.22/v4l-ivtv-fix-udma-yuv-bug.patch b/review-2.6.22/v4l-ivtv-fix-udma-yuv-bug.patch similarity index 100% rename from queue-2.6.22/v4l-ivtv-fix-udma-yuv-bug.patch rename to review-2.6.22/v4l-ivtv-fix-udma-yuv-bug.patch