From: Greg Kroah-Hartman Date: Sat, 28 Jan 2006 02:17:14 +0000 (-0800) Subject: 2.6.15.2 and 2.6.14.7 review cycle started X-Git-Tag: v2.6.14.7~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e86f0bef73be6c323ac1960fb02a0b8e647dc779;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.15.2 and 2.6.14.7 review cycle started --- diff --git a/review-2.6.14/2.6.14.7-review.mbox b/review-2.6.14/2.6.14.7-review.mbox new file mode 100644 index 00000000000..5ebf4a3149c --- /dev/null +++ b/review-2.6.14/2.6.14.7-review.mbox @@ -0,0 +1,507 @@ +From greg@press.kroah.org Fri Jan 27 18:00:39 2006 +Message-Id: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 17:58:41 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 0/6] 2.6.14.7 -stable review +Status: RO +Content-Length: 735 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.14.7 release. +There are 6 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Monday, January 30, 00:00:00 UTC. Anything +received after that time, might be too late. + +thanks, + +the -stable release team + +From greg@press.kroah.org Fri Jan 27 18:00:40 2006 +Message-Id: <20060128020039.784060000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:01 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, shaohua.li@intel.com +Subject: [patch 1/6] setting irq affinity is broken in ia32 with MSI enabled +Content-Disposition: inline; filename=setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch +Status: RO +Content-Length: 1167 +Lines: 41 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Shaohua Li + +Setting irq affinity stops working when MSI is enabled. With MSI, move_irq +is empty, so we can't change irq affinity. It appears a typo in Ashok's +original commit for this issue. X86_64 actually is using move_native_irq. + +Signed-off-by: Shaohua Li +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/i386/kernel/io_apic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.14.6.orig/arch/i386/kernel/io_apic.c ++++ linux-2.6.14.6/arch/i386/kernel/io_apic.c +@@ -1937,7 +1937,7 @@ static void ack_edge_ioapic_vector(unsig + { + int irq = vector_to_irq(vector); + +- move_irq(vector); ++ move_native_irq(vector); + ack_edge_ioapic_irq(irq); + } + +@@ -1952,7 +1952,7 @@ static void end_level_ioapic_vector (uns + { + int irq = vector_to_irq(vector); + +- move_irq(vector); ++ move_native_irq(vector); + end_level_ioapic_irq(irq); + } + + +-- + +From greg@press.kroah.org Fri Jan 27 18:00:40 2006 +Message-Id: <20060128020040.687499000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:02 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, davem@davemloft.net, bdschuym@pandora.be +Subject: [patch 2/6] [EBTABLES] Don't match tcp/udp source/destination port for IP fragments +Content-Disposition: inline; filename=fix-bridge-netfilter-matching-ip-fragments.patch +Status: RO +Content-Length: 1065 +Lines: 34 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Bart De Schuymer + +Signed-off-by: Bart De Schuymer +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebt_ip.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.14.6.orig/net/bridge/netfilter/ebt_ip.c ++++ linux-2.6.14.6/net/bridge/netfilter/ebt_ip.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk + if (!(info->bitmask & EBT_IP_DPORT) && + !(info->bitmask & EBT_IP_SPORT)) + return EBT_MATCH; ++ if (ntohs(ih->frag_off) & IP_OFFSET) ++ return EBT_NOMATCH; + pptr = skb_header_pointer(skb, ih->ihl*4, + sizeof(_ports), &_ports); + if (pptr == NULL) + +-- + +From greg@press.kroah.org Fri Jan 27 18:00:41 2006 +Message-Id: <20060128020041.271240000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:03 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, davem@davemloft.net, richm@oldelvet.org.uk +Subject: [patch 3/6] [SPARC64]: Fix ptrace/strace +Content-Disposition: inline; filename=sparc64-fix-ptrace.patch +Status: RO +Content-Length: 1392 +Lines: 45 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Richard Mortimer + +Don't clobber register %l0 while checking TI_SYS_NOERROR value in +syscall return path. This bug was introduced by: + +db7d9a4eb700be766cc9f29241483dbb1e748832 + +Problem narrowed down by Luis F. Ortiz and Richard Mortimer. + +I tried using %l2 as suggested by Luis and that works for me. + +Looking at the code I wonder if it makes sense to simplify the code +a little bit. The following works for me but I'm not sure how to +exercise the "NOERROR" codepath. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc64/kernel/entry.S | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- linux-2.6.14.6.orig/arch/sparc64/kernel/entry.S ++++ linux-2.6.14.6/arch/sparc64/kernel/entry.S +@@ -1657,13 +1657,10 @@ ret_sys_call: + /* Check if force_successful_syscall_return() + * was invoked. + */ +- ldub [%curptr + TI_SYS_NOERROR], %l0 +- brz,pt %l0, 1f +- nop +- ba,pt %xcc, 80f ++ ldub [%curptr + TI_SYS_NOERROR], %l2 ++ brnz,a,pn %l2, 80f + stb %g0, [%curptr + TI_SYS_NOERROR] + +-1: + cmp %o0, -ERESTART_RESTARTBLOCK + bgeu,pn %xcc, 1f + andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6 + +-- + +From greg@press.kroah.org Fri Jan 27 18:00:43 2006 +Message-Id: <20060128020042.145964000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:04 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, davem@davemloft.net +Subject: [patch 4/6] [SPARC64]: Fix sys_fstat64() entry in 64-bit syscall table. +Content-Disposition: inline; filename=sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch +Status: RO +Content-Length: 1179 +Lines: 28 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: "David S. Miller" + +Noticed by Jakub Jelinek. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc64/kernel/systbls.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.6.orig/arch/sparc64/kernel/systbls.S ++++ linux-2.6.14.6/arch/sparc64/kernel/systbls.S +@@ -98,7 +98,7 @@ sys_call_table: + .word sys_umount, sys_setgid, sys_getgid, sys_signal, sys_geteuid + /*50*/ .word sys_getegid, sys_acct, sys_memory_ordering, sys_nis_syscall, sys_ioctl + .word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve +-/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_stat64, sys_getpagesize ++/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize + .word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall + /*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect + .word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups + +-- + +From greg@press.kroah.org Fri Jan 27 18:00:45 2006 +Message-Id: <20060128020044.285351000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:05 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, kaber@trash.net +Subject: [patch 5/6] [NETFILTER]: Fix crash in ip_nat_pptp (CVE-2006-0036) +Content-Disposition: inline; filename=netfilter-fix-crash-in-ip_nat_pptp.patch +Status: RO +Content-Length: 1004 +Lines: 31 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Patrick McHardy + +When an inbound PPTP_IN_CALL_REQUEST packet is received the +PPTP NAT helper uses a NULL pointer in pointer arithmentic to +calculate the offset in the packet which needs to be mangled +and corrupts random memory or crashes. + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c ++++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c +@@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb, + break; + case PPTP_IN_CALL_REQUEST: + /* only need to nat in case PAC is behind NAT box */ +- break; ++ return NF_ACCEPT; + case PPTP_WAN_ERROR_NOTIFY: + pcid = &pptpReq->wanerr.peersCallID; + break; + +-- + +From greg@press.kroah.org Fri Jan 27 18:00:46 2006 +Message-Id: <20060128020045.469709000@press.kroah.org> +References: <20060128015840.722214000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:06 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, kaber@trash.net +Subject: [patch 6/6] [NETFILTER]: Fix another crash in ip_nat_pptp (CVE-2006-0037) +Content-Disposition: inline; filename=netfilter-fix-another-crash-in-ip_nat_pptp.patch +Status: RO +Content-Length: 5633 +Lines: 152 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Patrick McHardy + +The PPTP NAT helper calculates the offset at which the packet needs +to be mangled as difference between two pointers to the header. With +non-linear skbs however the pointers may point to two seperate buffers +on the stack and the calculation results in a wrong offset beeing +used. + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++----------------- + 1 file changed, 27 insertions(+), 30 deletions(-) + +--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c ++++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c +@@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb, + { + struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info; + struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info; +- +- u_int16_t msg, *cid = NULL, new_callid; ++ u_int16_t msg, new_callid; ++ unsigned int cid_off; + + new_callid = htons(ct_pptp_info->pns_call_id); + + switch (msg = ntohs(ctlh->messageType)) { + case PPTP_OUT_CALL_REQUEST: +- cid = &pptpReq->ocreq.callID; ++ cid_off = offsetof(union pptp_ctrl_union, ocreq.callID); + /* FIXME: ideally we would want to reserve a call ID + * here. current netfilter NAT core is not able to do + * this :( For now we use TCP source port. This breaks +@@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb, + ct_pptp_info->pns_call_id = ntohs(new_callid); + break; + case PPTP_IN_CALL_REPLY: +- cid = &pptpReq->icreq.callID; ++ cid_off = offsetof(union pptp_ctrl_union, icreq.callID); + break; + case PPTP_CALL_CLEAR_REQUEST: +- cid = &pptpReq->clrreq.callID; ++ cid_off = offsetof(union pptp_ctrl_union, clrreq.callID); + break; + default: + DEBUGP("unknown outbound packet 0x%04x:%s\n", msg, +@@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb, + + /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass + * down to here */ +- +- IP_NF_ASSERT(cid); +- + DEBUGP("altering call id from 0x%04x to 0x%04x\n", +- ntohs(*cid), ntohs(new_callid)); ++ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid)); + + /* mangle packet */ + if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, +- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)), +- sizeof(new_callid), +- (char *)&new_callid, +- sizeof(new_callid)) == 0) ++ cid_off + sizeof(struct pptp_pkt_hdr) + ++ sizeof(struct PptpControlHeader), ++ sizeof(new_callid), (char *)&new_callid, ++ sizeof(new_callid)) == 0) + return NF_DROP; + + return NF_ACCEPT; +@@ -297,7 +294,8 @@ pptp_inbound_pkt(struct sk_buff **pskb, + union pptp_ctrl_union *pptpReq) + { + struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info; +- u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL; ++ u_int16_t msg, new_cid = 0, new_pcid; ++ unsigned int pcid_off, cid_off = 0; + + int ret = NF_ACCEPT, rv; + +@@ -305,23 +303,23 @@ pptp_inbound_pkt(struct sk_buff **pskb, + + switch (msg = ntohs(ctlh->messageType)) { + case PPTP_OUT_CALL_REPLY: +- pcid = &pptpReq->ocack.peersCallID; +- cid = &pptpReq->ocack.callID; ++ pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID); ++ cid_off = offsetof(union pptp_ctrl_union, ocack.callID); + break; + case PPTP_IN_CALL_CONNECT: +- pcid = &pptpReq->iccon.peersCallID; ++ pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID); + break; + case PPTP_IN_CALL_REQUEST: + /* only need to nat in case PAC is behind NAT box */ + return NF_ACCEPT; + case PPTP_WAN_ERROR_NOTIFY: +- pcid = &pptpReq->wanerr.peersCallID; ++ pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID); + break; + case PPTP_CALL_DISCONNECT_NOTIFY: +- pcid = &pptpReq->disc.callID; ++ pcid_off = offsetof(union pptp_ctrl_union, disc.callID); + break; + case PPTP_SET_LINK_INFO: +- pcid = &pptpReq->setlink.peersCallID; ++ pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID); + break; + + default: +@@ -343,25 +341,24 @@ pptp_inbound_pkt(struct sk_buff **pskb, + * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */ + + /* mangle packet */ +- IP_NF_ASSERT(pcid); + DEBUGP("altering peer call id from 0x%04x to 0x%04x\n", +- ntohs(*pcid), ntohs(new_pcid)); ++ ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid)); + +- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, +- (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)), ++ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, ++ pcid_off + sizeof(struct pptp_pkt_hdr) + ++ sizeof(struct PptpControlHeader), + sizeof(new_pcid), (char *)&new_pcid, + sizeof(new_pcid)); + if (rv != NF_ACCEPT) + return rv; + + if (new_cid) { +- IP_NF_ASSERT(cid); + DEBUGP("altering call id from 0x%04x to 0x%04x\n", +- ntohs(*cid), ntohs(new_cid)); +- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, +- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)), +- sizeof(new_cid), +- (char *)&new_cid, ++ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid)); ++ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, ++ cid_off + sizeof(struct pptp_pkt_hdr) + ++ sizeof(struct PptpControlHeader), ++ sizeof(new_cid), (char *)&new_cid, + sizeof(new_cid)); + if (rv != NF_ACCEPT) + return rv; + +-- + diff --git a/queue-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch b/review-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch similarity index 100% rename from queue-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch rename to review-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch diff --git a/queue-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch b/review-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch similarity index 99% rename from queue-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch rename to review-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch index 7ed9683023d..a81b302f15e 100644 --- a/queue-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch +++ b/review-2.6.14/netfilter-fix-another-crash-in-ip_nat_pptp.patch @@ -147,7 +147,7 @@ Signed-off-by: Greg Kroah-Hartman + rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, + cid_off + sizeof(struct pptp_pkt_hdr) + + sizeof(struct PptpControlHeader), -+ sizeof(new_cid), (char *)&new_cid, ++ sizeof(new_cid), (char *)&new_cid, sizeof(new_cid)); if (rv != NF_ACCEPT) return rv; diff --git a/queue-2.6.14/netfilter-fix-crash-in-ip_nat_pptp.patch b/review-2.6.14/netfilter-fix-crash-in-ip_nat_pptp.patch similarity index 100% rename from queue-2.6.14/netfilter-fix-crash-in-ip_nat_pptp.patch rename to review-2.6.14/netfilter-fix-crash-in-ip_nat_pptp.patch diff --git a/queue-2.6.14/series b/review-2.6.14/series similarity index 100% rename from queue-2.6.14/series rename to review-2.6.14/series diff --git a/queue-2.6.14/setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch b/review-2.6.14/setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch similarity index 100% rename from queue-2.6.14/setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch rename to review-2.6.14/setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch diff --git a/queue-2.6.14/sparc64-fix-ptrace.patch b/review-2.6.14/sparc64-fix-ptrace.patch similarity index 100% rename from queue-2.6.14/sparc64-fix-ptrace.patch rename to review-2.6.14/sparc64-fix-ptrace.patch diff --git a/queue-2.6.14/sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch b/review-2.6.14/sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch similarity index 100% rename from queue-2.6.14/sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch rename to review-2.6.14/sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch diff --git a/review/2.6.15.2-review.mbox b/review/2.6.15.2-review.mbox new file mode 100644 index 00000000000..afcfabdd312 --- /dev/null +++ b/review/2.6.15.2-review.mbox @@ -0,0 +1,954 @@ +From greg@press.kroah.org Fri Jan 27 18:08:10 2006 +Message-Id: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 18:06:29 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/12] 2.6.15.2 -stable review +Content-Length: 739 +Lines: 18 + + +This is the start of the stable review cycle for the 2.6.11.5.2 release. +There are 12 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Monday, January 30, 00:00:00 UTC. Anything +received after that time, might be too late. + +thanks, + +the -stable release team + +From greg@press.kroah.org Fri Jan 27 18:08:10 2006 +Message-Id: <20060128020810.644064000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:01 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, clemens@ladisch.de, tiwai@suse.de, + alsa-devel@lists.sourceforge.net +Subject: [patch 01/12] usb-audio: don't use empty packets at start of playback +Content-Disposition: inline; filename=usb-audio-dont-use-empty-packets-at-start-of-playback.patch +Content-Length: 2247 +Lines: 69 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Clemens Ladisch + +Some widespread USB interface chips with adaptive iso endpoints hang +after receiving a series of empty packets when they expect data. This +completely disables audio playback on those devices. To avoid this, we +have to send packets containing silence (zero samples) instead. + +ALSA bug: http://bugtrack.alsa-project.org/alsa-bug/view.php?id=1585 + +Signed-off-by: Clemens Ladisch +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/usbaudio.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +--- linux-2.6.15.1.orig/sound/usb/usbaudio.c ++++ linux-2.6.15.1/sound/usb/usbaudio.c +@@ -480,22 +480,38 @@ static int retire_playback_sync_urb_hs(s + /* + * Prepare urb for streaming before playback starts. + * +- * We don't care about (or have) any data, so we just send a transfer delimiter. ++ * We don't yet have data, so we send a frame of silence. + */ + static int prepare_startup_playback_urb(snd_usb_substream_t *subs, + snd_pcm_runtime_t *runtime, + struct urb *urb) + { +- unsigned int i; ++ unsigned int i, offs, counts; + snd_urb_ctx_t *ctx = urb->context; ++ int stride = runtime->frame_bits >> 3; + ++ offs = 0; + urb->dev = ctx->subs->dev; + urb->number_of_packets = subs->packs_per_ms; + for (i = 0; i < subs->packs_per_ms; ++i) { +- urb->iso_frame_desc[i].offset = 0; +- urb->iso_frame_desc[i].length = 0; ++ /* calculate the size of a packet */ ++ if (subs->fill_max) ++ counts = subs->maxframesize; /* fixed */ ++ else { ++ subs->phase = (subs->phase & 0xffff) ++ + (subs->freqm << subs->datainterval); ++ counts = subs->phase >> 16; ++ if (counts > subs->maxframesize) ++ counts = subs->maxframesize; ++ } ++ urb->iso_frame_desc[i].offset = offs * stride; ++ urb->iso_frame_desc[i].length = counts * stride; ++ offs += counts; + } +- urb->transfer_buffer_length = 0; ++ urb->transfer_buffer_length = offs * stride; ++ memset(urb->transfer_buffer, ++ subs->cur_audiofmt->format == SNDRV_PCM_FORMAT_U8 ? 0x80 : 0, ++ offs * stride); + return 0; + } + + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:10 2006 +Message-Id: <20060128020810.762920000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:02 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, axboe@suse.de +Subject: [patch 02/12] [BLOCK] Kill blk_attempt_remerge() +Content-Disposition: inline; filename=kill-blk_attempt_remerge.patch +Content-Length: 3249 +Lines: 95 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Jens Axboe + +[BLOCK] Kill blk_attempt_remerge() + +It's a broken interface, it's done way too late. And apparently it triggers +slab problems in recent kernels as well (most likely after the generic dispatch +code was merged). So kill it, ide-cd is the only user of it. + +chrisw: backport to 2.6.15 tree + +Signed-off-by: Jens Axboe +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + block/ll_rw_blk.c | 24 ------------------------ + drivers/ide/ide-cd.c | 10 ---------- + include/linux/blkdev.h | 1 - + 3 files changed, 35 deletions(-) + +--- linux-2.6.15.1.orig/block/ll_rw_blk.c ++++ linux-2.6.15.1/block/ll_rw_blk.c +@@ -2609,30 +2609,6 @@ static inline int attempt_front_merge(re + return 0; + } + +-/** +- * blk_attempt_remerge - attempt to remerge active head with next request +- * @q: The &request_queue_t belonging to the device +- * @rq: The head request (usually) +- * +- * Description: +- * For head-active devices, the queue can easily be unplugged so quickly +- * that proper merging is not done on the front request. This may hurt +- * performance greatly for some devices. The block layer cannot safely +- * do merging on that first request for these queues, but the driver can +- * call this function and make it happen any way. Only the driver knows +- * when it is safe to do so. +- **/ +-void blk_attempt_remerge(request_queue_t *q, struct request *rq) +-{ +- unsigned long flags; +- +- spin_lock_irqsave(q->queue_lock, flags); +- attempt_back_merge(q, rq); +- spin_unlock_irqrestore(q->queue_lock, flags); +-} +- +-EXPORT_SYMBOL(blk_attempt_remerge); +- + static int __make_request(request_queue_t *q, struct bio *bio) + { + struct request *req; +--- linux-2.6.15.1.orig/drivers/ide/ide-cd.c ++++ linux-2.6.15.1/drivers/ide/ide-cd.c +@@ -1332,8 +1332,6 @@ static ide_startstop_t cdrom_start_read + if (cdrom_read_from_buffer(drive)) + return ide_stopped; + +- blk_attempt_remerge(drive->queue, rq); +- + /* Clear the local sector buffer. */ + info->nsectors_buffered = 0; + +@@ -1874,14 +1872,6 @@ static ide_startstop_t cdrom_start_write + return ide_stopped; + } + +- /* +- * for dvd-ram and such media, it's a really big deal to get +- * big writes all the time. so scour the queue and attempt to +- * remerge requests, often the plugging will not have had time +- * to do this properly +- */ +- blk_attempt_remerge(drive->queue, rq); +- + info->nsectors_buffered = 0; + + /* use dma, if possible. we don't need to check more, since we +--- linux-2.6.15.1.orig/include/linux/blkdev.h ++++ linux-2.6.15.1/include/linux/blkdev.h +@@ -559,7 +559,6 @@ extern void register_disk(struct gendisk + extern void generic_make_request(struct bio *bio); + extern void blk_put_request(struct request *); + extern void blk_end_sync_rq(struct request *rq); +-extern void blk_attempt_remerge(request_queue_t *, struct request *); + extern struct request *blk_get_request(request_queue_t *, int, gfp_t); + extern void blk_insert_request(request_queue_t *, struct request *, int, void *); + extern void blk_requeue_request(request_queue_t *, struct request *); + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:10 2006 +Message-Id: <20060128020810.878061000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:03 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, dtor@mail.ru +Subject: [patch 03/12] Input: HID - fix an oops in PID initialization code +Content-Disposition: inline; filename=input-hid-fix-an-oops-in-pid-initialization-code.patch +Content-Length: 966 +Lines: 29 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Dmitry Torokhov + +Input: HID - fix an oops in PID initialization code + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/input/pid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.1.orig/drivers/usb/input/pid.c ++++ linux-2.6.15.1/drivers/usb/input/pid.c +@@ -259,7 +259,7 @@ static int hid_pid_upload_effect(struct + int hid_pid_init(struct hid_device *hid) + { + struct hid_ff_pid *private; +- struct hid_input *hidinput = list_entry(&hid->inputs, struct hid_input, list); ++ struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); + struct input_dev *input_dev = hidinput->input; + + private = hid->ff_private = kzalloc(sizeof(struct hid_ff_pid), GFP_KERNEL); + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.234763000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:06 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, 76306.1226@compuserve.com, + nickpiggin@yahoo.com.au, axboe@suse.de +Subject: [patch 06/12] elevator=as back-compatibility +Content-Disposition: inline; filename=elevator-as-back-compatibility.patch +Content-Length: 1103 +Lines: 38 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Chuck Ebbert <76306.1226@compuserve.com> + +As of 2.6.15 you need to use "anticipatory" instead of "as". Fix that up +so that `elevator=as' still works. + +Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> +Cc: Nick Piggin +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + block/elevator.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- linux-2.6.15.1.orig/block/elevator.c ++++ linux-2.6.15.1/block/elevator.c +@@ -150,6 +150,13 @@ static void elevator_setup_default(void) + if (!chosen_elevator[0]) + strcpy(chosen_elevator, CONFIG_DEFAULT_IOSCHED); + ++ /* ++ * Be backwards-compatible with previous kernels, so users ++ * won't get the wrong elevator. ++ */ ++ if (!strcmp(chosen_elevator, "as")) ++ strcpy(chosen_elevator, "anticipatory"); ++ + /* + * If the given scheduler is not available, fall back to no-op. + */ + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.114239000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:05 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, dushistov@mail.ru, adobriyan@gmail.com +Subject: [patch 05/12] Fix oops in ufs_fill_super at mount time +Content-Disposition: inline; filename=fix-oops-in-ufs_fill_super-at-mount-time.patch +Content-Length: 1355 +Lines: 38 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Evgeniy + +There's a lack of parenthesis in fs/ufs/utils.h, so instead of the 512th +byte of buffer, the usb2 pointer will point to the nth structure of type +ufs_super_block_second. + +This can cause a mount-time oops if you're unlucky (especially with +DEBUG_PAGEALLOC, which is how Alexey Dobriyan saw this problem) + +Signed-off-by: Evgeniy Dushistov +Acked-by: Alexey Dobriyan +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/ufs/util.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.15.1.orig/fs/ufs/util.h ++++ linux-2.6.15.1/fs/ufs/util.h +@@ -255,8 +255,8 @@ extern void _ubh_memcpyubh_(struct ufs_s + ((struct ufs_super_block_first *)((ubh)->bh[0]->b_data)) + + #define ubh_get_usb_second(ubh) \ +- ((struct ufs_super_block_second *)(ubh)-> \ +- bh[UFS_SECTOR_SIZE >> uspi->s_fshift]->b_data + (UFS_SECTOR_SIZE & ~uspi->s_fmask)) ++ ((struct ufs_super_block_second *)((ubh)->\ ++ bh[UFS_SECTOR_SIZE >> uspi->s_fshift]->b_data + (UFS_SECTOR_SIZE & ~uspi->s_fmask))) + + #define ubh_get_usb_third(ubh) \ + ((struct ufs_super_block_third *)((ubh)-> \ + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.050239000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:04 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, aviro@redhat.com +Subject: [patch 04/12] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open (CVE-2005-3356) +Content-Disposition: inline; filename=fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch +Content-Length: 3950 +Lines: 143 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Alexander Viro + +Fixed the refcounting on failure exits in sys_mq_open() and +cleaned the logics up. Rules are actually pretty simple - dentry_open() +expects vfsmount and dentry to be pinned down and it either transfers +them into created struct file or drops them. Old code had been very +confused in that area - if dentry_open() had failed either in do_open() +or do_create(), we ended up dentry and mqueue_mnt dropped twice, once +by dentry_open() cleanup and then by sys_mq_open(). + +Fix consists of making the rules for do_create() and do_open() +same as for dentry_open() and updating the sys_mq_open() accordingly; +that actually leads to more straightforward code and less work on +normal path. + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + ipc/mqueue.c | 59 +++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 33 insertions(+), 26 deletions(-) + +--- linux-2.6.15.1.orig/ipc/mqueue.c ++++ linux-2.6.15.1/ipc/mqueue.c +@@ -598,15 +598,16 @@ static int mq_attr_ok(struct mq_attr *at + static struct file *do_create(struct dentry *dir, struct dentry *dentry, + int oflag, mode_t mode, struct mq_attr __user *u_attr) + { +- struct file *filp; + struct mq_attr attr; + int ret; + +- if (u_attr != NULL) { ++ if (u_attr) { ++ ret = -EFAULT; + if (copy_from_user(&attr, u_attr, sizeof(attr))) +- return ERR_PTR(-EFAULT); ++ goto out; ++ ret = -EINVAL; + if (!mq_attr_ok(&attr)) +- return ERR_PTR(-EINVAL); ++ goto out; + /* store for use during create */ + dentry->d_fsdata = &attr; + } +@@ -615,13 +616,14 @@ static struct file *do_create(struct den + ret = vfs_create(dir->d_inode, dentry, mode, NULL); + dentry->d_fsdata = NULL; + if (ret) +- return ERR_PTR(ret); ++ goto out; + +- filp = dentry_open(dentry, mqueue_mnt, oflag); +- if (!IS_ERR(filp)) +- dget(dentry); ++ return dentry_open(dentry, mqueue_mnt, oflag); + +- return filp; ++out: ++ dput(dentry); ++ mntput(mqueue_mnt); ++ return ERR_PTR(ret); + } + + /* Opens existing queue */ +@@ -629,20 +631,20 @@ static struct file *do_open(struct dentr + { + static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE, + MAY_READ | MAY_WRITE }; +- struct file *filp; + +- if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) ++ if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) { ++ dput(dentry); ++ mntput(mqueue_mnt); + return ERR_PTR(-EINVAL); ++ } + +- if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) ++ if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) { ++ dput(dentry); ++ mntput(mqueue_mnt); + return ERR_PTR(-EACCES); ++ } + +- filp = dentry_open(dentry, mqueue_mnt, oflag); +- +- if (!IS_ERR(filp)) +- dget(dentry); +- +- return filp; ++ return dentry_open(dentry, mqueue_mnt, oflag); + } + + asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode, +@@ -670,17 +672,20 @@ asmlinkage long sys_mq_open(const char _ + + if (oflag & O_CREAT) { + if (dentry->d_inode) { /* entry already exists */ +- filp = (oflag & O_EXCL) ? ERR_PTR(-EEXIST) : +- do_open(dentry, oflag); ++ error = -EEXIST; ++ if (oflag & O_EXCL) ++ goto out; ++ filp = do_open(dentry, oflag); + } else { + filp = do_create(mqueue_mnt->mnt_root, dentry, + oflag, mode, u_attr); + } +- } else +- filp = (dentry->d_inode) ? do_open(dentry, oflag) : +- ERR_PTR(-ENOENT); +- +- dput(dentry); ++ } else { ++ error = -ENOENT; ++ if (!dentry->d_inode) ++ goto out; ++ filp = do_open(dentry, oflag); ++ } + + if (IS_ERR(filp)) { + error = PTR_ERR(filp); +@@ -691,8 +696,10 @@ asmlinkage long sys_mq_open(const char _ + fd_install(fd, filp); + goto out_upsem; + +-out_putfd: ++out: ++ dput(dentry); + mntput(mqueue_mnt); ++out_putfd: + put_unused_fd(fd); + out_err: + fd = error; + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.345934000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:07 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, davem@davemloft.net, richm@oldelvet.org.uk +Subject: [patch 07/12] Fix timekeeping on sparc64 ultra-IIe machines +Content-Disposition: inline; filename=sparc64-fix-timekeeping-on-ultra-IIe-machines.patch +Content-Length: 3053 +Lines: 83 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Richard Mortimer + +[SPARC64]: Eliminate race condition reading Hummingbird STICK register + +Ensure a consistent value is read from the STICK register by ensuring +that both high and low are read without high changing due to a roll +over of the low register. + +Various Debian/SPARC users (myself include) have noticed problems with +Hummingbird based systems. The symptoms are that the system time is +seen to jump forward 3 days, 6 hours, 11 minutes give or take a few +seconds. In many cases the system then hangs some time afterwards. + +I've spotted a race condition in the code to read the STICK register. +I could not work out why 3d, 6h, 11m is important but guess that it is +due to the 2^32 jump of STICK (forwards on one read and then the next +read will seem to be backwards) during a timer interrupt. I'm guessing +that a change of -2^32 will get converted to a large unsigned +increment after the arithmetic manipulation between STICK, +nanoseconds, jiffies etc. + +I did a test where I modified __hbird_read_stick to artificially +inject rollover faults forcefully every few seconds. With this I saw +the clock jump over 6 times in 12 hours compared to once every month +or so. + +Signed-off-by: Richard Mortimer +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc64/kernel/time.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- linux-2.6.15.1.orig/arch/sparc64/kernel/time.c ++++ linux-2.6.15.1/arch/sparc64/kernel/time.c +@@ -280,9 +280,9 @@ static struct sparc64_tick_ops stick_ope + * Since STICK is constantly updating, we have to access it carefully. + * + * The sequence we use to read is: +- * 1) read low +- * 2) read high +- * 3) read low again, if it rolled over increment high by 1 ++ * 1) read high ++ * 2) read low ++ * 3) read high again, if it rolled re-read both low and high again. + * + * Writing STICK safely is also tricky: + * 1) write low to zero +@@ -295,18 +295,18 @@ static struct sparc64_tick_ops stick_ope + static unsigned long __hbird_read_stick(void) + { + unsigned long ret, tmp1, tmp2, tmp3; +- unsigned long addr = HBIRD_STICK_ADDR; ++ unsigned long addr = HBIRD_STICK_ADDR+8; + +- __asm__ __volatile__("ldxa [%1] %5, %2\n\t" +- "add %1, 0x8, %1\n\t" +- "ldxa [%1] %5, %3\n\t" ++ __asm__ __volatile__("ldxa [%1] %5, %2\n" ++ "1:\n\t" + "sub %1, 0x8, %1\n\t" ++ "ldxa [%1] %5, %3\n\t" ++ "add %1, 0x8, %1\n\t" + "ldxa [%1] %5, %4\n\t" + "cmp %4, %2\n\t" +- "blu,a,pn %%xcc, 1f\n\t" +- " add %3, 1, %3\n" +- "1:\n\t" +- "sllx %3, 32, %3\n\t" ++ "bne,a,pn %%xcc, 1b\n\t" ++ " mov %4, %2\n\t" ++ "sllx %4, 32, %4\n\t" + "or %3, %4, %0\n\t" + : "=&r" (ret), "=&r" (addr), + "=&r" (tmp1), "=&r" (tmp2), "=&r" (tmp3) + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.462153000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:08 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, davem@davemloft.net +Subject: [patch 08/12] [NET]: Make second arg to skb_reserved() signed. +Content-Disposition: inline; filename=net-make-second-arg-to-skb_reserved-signed.patch +Content-Length: 1074 +Lines: 34 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: David S. Miller + +Some subsystems, such as PPP, can send negative values +here. It just happened to work correctly on 32-bit with +an unsigned value, but on 64-bit this explodes. + +Figured out by Paul Mackerras based upon several PPP crash +reports. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.1.orig/include/linux/skbuff.h ++++ linux-2.6.15.1/include/linux/skbuff.h +@@ -927,7 +927,7 @@ static inline int skb_tailroom(const str + * Increase the headroom of an empty &sk_buff by reducing the tail + * room. This is only allowed for an empty buffer. + */ +-static inline void skb_reserve(struct sk_buff *skb, unsigned int len) ++static inline void skb_reserve(struct sk_buff *skb, int len) + { + skb->data += len; + skb->tail += len; + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.579148000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:09 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, ak@suse.de +Subject: [patch 09/12] Mask off GFP flags before swiotlb_alloc_coherent +Content-Disposition: inline; filename=mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch +Content-Length: 732 +Lines: 28 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Andi Kleen + +Mask off GFP flags before swiotlb_alloc_coherent + +Signed-off-by: Andi Kleen +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86_64/kernel/pci-gart.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.15.1.orig/arch/x86_64/kernel/pci-gart.c ++++ linux-2.6.15.1/arch/x86_64/kernel/pci-gart.c +@@ -244,6 +244,7 @@ dma_alloc_coherent(struct device *dev, s + get_order(size)); + + if (swiotlb) { ++ gfp &= ~(GFP_DMA32|GFP_DMA); + return + swiotlb_alloc_coherent(dev, size, + dma_handle, + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.867358000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:11 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, Markus.Lidel@shadowconnect.com, + theonetruekenny@yahoo.com +Subject: [patch 11/12] Fix i2o_scsi oops on abort +Content-Disposition: inline; filename=fix-i2o_scsi-oops-on-abort.patch +Content-Length: 1110 +Lines: 35 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Markus Lidel + +>From http://bugzilla.kernel.org/show_bug.cgi?id=5923 + +When a scsi command failed, an oops would result. + +Back-to-back SMART queries would make the Seagate drives unhappy. The +second SMART query would timeout, and the command would be aborted. + +From: Markus Lidel +Cc: Kenny Simpson +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/message/i2o/i2o_scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.1.orig/drivers/message/i2o/i2o_scsi.c ++++ linux-2.6.15.1/drivers/message/i2o/i2o_scsi.c +@@ -729,7 +729,7 @@ static int i2o_scsi_abort(struct scsi_cm + &msg->u.head[1]); + writel(i2o_cntxt_list_get_ptr(c, SCpnt), &msg->body[0]); + +- if (i2o_msg_post_wait(c, m, I2O_TIMEOUT_SCSI_SCB_ABORT)) ++ if (!i2o_msg_post_wait(c, msg, I2O_TIMEOUT_SCSI_SCB_ABORT)) + status = SUCCESS; + + return status; + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:11 2006 +Message-Id: <20060128020811.699623000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:10 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, reiser@namesys.com, vitaly@namesys.com +Subject: [patch 10/12] Someone broke reiserfs v3 mount options and this fixes it +Content-Disposition: inline; filename=someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch +Content-Length: 821 +Lines: 28 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Vitaly Fertman + +Signed-off-by: Hans Reiser +Signed-off-by: Vitaly Fertman +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.15.1.orig/fs/reiserfs/super.c ++++ linux-2.6.15.1/fs/reiserfs/super.c +@@ -1131,7 +1131,7 @@ static void handle_attrs(struct super_bl + REISERFS_SB(s)->s_mount_opt &= ~(1 << REISERFS_ATTRS); + } + } else if (le32_to_cpu(rs->s_flags) & reiserfs_attrs_cleared) { +- REISERFS_SB(s)->s_mount_opt |= REISERFS_ATTRS; ++ REISERFS_SB(s)->s_mount_opt |= (1 << REISERFS_ATTRS); + } + } + + +-- + +From greg@press.kroah.org Fri Jan 27 18:08:12 2006 +Message-Id: <20060128020811.929376000@press.kroah.org> +References: <20060128020629.908825000@press.kroah.org> +Date: Fri, 27 Jan 2006 00:00:12 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + torvalds@osdl.org, + akpm@osdl.org, + alan@lxorguk.ukuu.org.uk, ralf@linux-mips.org +Subject: [patch 12/12] Fix mkiss locking bug +Content-Disposition: inline; filename=fix-mkiss-locking-bug.patch +Content-Length: 819 +Lines: 29 + +2.6.15.2 -stable review patch. If anyone has any objections, please let +us know. + +------------------ + +From: Ralf Baechle DL5RB + +ax_encaps() forgot to drop the bufferlock at the end of the function. +Patch is already in 2.6.16-rc1. + +Signed-off-by: Ralf Baechle DL5RB +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.15.1.orig/drivers/net/hamradio/mkiss.c ++++ linux-2.6.15.1/drivers/net/hamradio/mkiss.c +@@ -515,6 +515,7 @@ static void ax_encaps(struct net_device + count = kiss_esc(p, (unsigned char *)ax->xbuff, len); + } + } ++ spin_unlock_bh(&ax->buflock); + + set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); + actual = ax->tty->driver->write(ax->tty, ax->xbuff, count); + +-- + diff --git a/queue/elevator-as-back-compatibility.patch b/review/elevator-as-back-compatibility.patch similarity index 100% rename from queue/elevator-as-back-compatibility.patch rename to review/elevator-as-back-compatibility.patch diff --git a/queue/fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch b/review/fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch similarity index 100% rename from queue/fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch rename to review/fix-double-decrement-of-mqueue_mnt-mnt_count-in-sys_mq_open.patch diff --git a/queue/fix-i2o_scsi-oops-on-abort.patch b/review/fix-i2o_scsi-oops-on-abort.patch similarity index 100% rename from queue/fix-i2o_scsi-oops-on-abort.patch rename to review/fix-i2o_scsi-oops-on-abort.patch diff --git a/queue/fix-mkiss-locking-bug.patch b/review/fix-mkiss-locking-bug.patch similarity index 100% rename from queue/fix-mkiss-locking-bug.patch rename to review/fix-mkiss-locking-bug.patch diff --git a/queue/fix-oops-in-ufs_fill_super-at-mount-time.patch b/review/fix-oops-in-ufs_fill_super-at-mount-time.patch similarity index 100% rename from queue/fix-oops-in-ufs_fill_super-at-mount-time.patch rename to review/fix-oops-in-ufs_fill_super-at-mount-time.patch diff --git a/queue/input-hid-fix-an-oops-in-pid-initialization-code.patch b/review/input-hid-fix-an-oops-in-pid-initialization-code.patch similarity index 100% rename from queue/input-hid-fix-an-oops-in-pid-initialization-code.patch rename to review/input-hid-fix-an-oops-in-pid-initialization-code.patch diff --git a/queue/kill-blk_attempt_remerge.patch b/review/kill-blk_attempt_remerge.patch similarity index 100% rename from queue/kill-blk_attempt_remerge.patch rename to review/kill-blk_attempt_remerge.patch diff --git a/queue/mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch b/review/mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch similarity index 100% rename from queue/mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch rename to review/mask-off-GFP-flags-before-swiotlb_alloc_coherent.patch diff --git a/queue/net-make-second-arg-to-skb_reserved-signed.patch b/review/net-make-second-arg-to-skb_reserved-signed.patch similarity index 100% rename from queue/net-make-second-arg-to-skb_reserved-signed.patch rename to review/net-make-second-arg-to-skb_reserved-signed.patch diff --git a/queue/series b/review/series similarity index 100% rename from queue/series rename to review/series diff --git a/queue/someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch b/review/someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch similarity index 100% rename from queue/someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch rename to review/someone-broke-reiserfs-v3-mount-options-and-this-fixes-it.patch diff --git a/queue/sparc64-fix-timekeeping-on-ultra-IIe-machines.patch b/review/sparc64-fix-timekeeping-on-ultra-IIe-machines.patch similarity index 100% rename from queue/sparc64-fix-timekeeping-on-ultra-IIe-machines.patch rename to review/sparc64-fix-timekeeping-on-ultra-IIe-machines.patch diff --git a/queue/usb-audio-dont-use-empty-packets-at-start-of-playback.patch b/review/usb-audio-dont-use-empty-packets-at-start-of-playback.patch similarity index 100% rename from queue/usb-audio-dont-use-empty-packets-at-start-of-playback.patch rename to review/usb-audio-dont-use-empty-packets-at-start-of-playback.patch