--- /dev/null
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213236.180277574@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:15 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jesper Juhl <jesper.juhl@gmail.com>,
+ Mike Miller <mike.miller@hp.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 01/23] cciss: fix memory leak
+Content-Disposition: inline; filename=cciss-fix-memory-leak.patch
+Content-Length: 1254
+Lines: 48
+
+2.6.22-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jesper Juhl <jesper.juhl@gmail.com>
+
+mainline: f2912a1223c0917a7b4e054f18086209137891ea
+
+There's a memory leak in the cciss driver.
+
+in alloc_cciss_hba() we may leak sizeof(ctlr_info_t) bytes if a
+call to alloc_disk(1 << NWD_SHIFT) fails.
+This patch should fix the issue.
+
+Spotted by the Coverity checker.
+
+Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
+Acked-by: Mike Miller <mike.miller@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -3225,12 +3225,15 @@ static int alloc_cciss_hba(void)
+ for (i = 0; i < MAX_CTLR; i++) {
+ if (!hba[i]) {
+ ctlr_info_t *p;
++
+ p = kzalloc(sizeof(ctlr_info_t), GFP_KERNEL);
+ if (!p)
+ goto Enomem;
+ p->gendisk[0] = alloc_disk(1 << NWD_SHIFT);
+- if (!p->gendisk[0])
++ if (!p->gendisk[0]) {
++ kfree(p);
+ goto Enomem;
++ }
+ hba[i] = p;
+ return i;
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213236.337306122@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:16 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jeff Garzik <jeff@garzik.org>,
+ Mikael Pettersson <mikpe@it.uu.se>
+Subject: [patch 02/23] sata_promise: FastTrack TX4200 is a second-generation chip
+Content-Disposition: inline; filename=sata_promise-fasttrack-tx4200-is-a-second-generation-chip.patch
+Content-Length: 1481
+Lines: 44
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Mikael Pettersson <mikpe@it.uu.se>
+
+patch 7f9992a23190418592f0810900e4f91546ec41da in mainline.
+
+This patch corrects sata_promise to classify FastTrack TX4200
+(DID 3515/3519) as a second-generation chip. Promise's partial-
+source FT TX4200 driver confirms this classification.
+
+Treating it as a first-generation chip causes several problems:
+1. Detection failures. This is a recent regression triggered by
+ the hotplug-enabling changes in 2.6.23-rc1.
+2. Various "failed to resume link for reset" warnings.
+
+This patch fixes <http://bugzilla.kernel.org/show_bug.cgi?id=8936>.
+
+Thanks to Stephen Ziemba for reporting the bug and for testing the fix.
+
+Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/sata_promise.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_promise.c
++++ b/drivers/ata/sata_promise.c
+@@ -330,8 +330,8 @@ static const struct pci_device_id pdc_at
+
+ { PCI_VDEVICE(PROMISE, 0x3318), board_20319 },
+ { PCI_VDEVICE(PROMISE, 0x3319), board_20319 },
+- { PCI_VDEVICE(PROMISE, 0x3515), board_20319 },
+- { PCI_VDEVICE(PROMISE, 0x3519), board_20319 },
++ { PCI_VDEVICE(PROMISE, 0x3515), board_40518 },
++ { PCI_VDEVICE(PROMISE, 0x3519), board_40518 },
+ { PCI_VDEVICE(PROMISE, 0x3d17), board_40518 },
+ { PCI_VDEVICE(PROMISE, 0x3d18), board_40518 },
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213236.496648649@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:17 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jeff Garzik <jeff@garzik.org>,
+ Mikael Pettersson <mikpe@it.uu.se>
+Subject: [patch 03/23] sata_promise: ASIC PRD table bug workaround
+Content-Disposition: inline; filename=sata_promise-asic-prd-table-bug-workaround.patch
+Content-Length: 4433
+Lines: 162
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Mikael Pettersson <mikpe@it.uu.se>
+
+patch b9ccd4a90bbb964506f01b4bdcff4f50f8d5d334 in mainline.
+
+Second-generation Promise SATA controllers have an ASIC bug
+which can trigger if the last PRD entry is larger than 164 bytes,
+resulting in intermittent errors and possible data corruption.
+
+Work around this by replacing calls to ata_qc_prep() with a
+private version that fills the PRD, checks the size of the
+last entry, and if necessary splits it to avoid the bug.
+Also reduce sg_tablesize by 1 to accommodate the new entry.
+
+Tested on the second-generation SATA300 TX4 and SATA300 TX2plus,
+and the first-generation PDC20378.
+
+Thanks to Alexander Sabourenkov for verifying the bug by
+studying the vendor driver, and for writing the initial patch
+upon which this one is based.
+
+Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
+Cc: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/sata_promise.c | 87 ++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 83 insertions(+), 4 deletions(-)
+
+--- a/drivers/ata/sata_promise.c
++++ b/drivers/ata/sata_promise.c
+@@ -51,6 +51,7 @@
+ enum {
+ PDC_MAX_PORTS = 4,
+ PDC_MMIO_BAR = 3,
++ PDC_MAX_PRD = LIBATA_MAX_PRD - 1, /* -1 for ASIC PRD bug workaround */
+
+ /* register offsets */
+ PDC_FEATURE = 0x04, /* Feature/Error reg (per port) */
+@@ -157,7 +158,7 @@ static struct scsi_host_template pdc_ata
+ .queuecommand = ata_scsi_queuecmd,
+ .can_queue = ATA_DEF_QUEUE,
+ .this_id = ATA_SHT_THIS_ID,
+- .sg_tablesize = LIBATA_MAX_PRD,
++ .sg_tablesize = PDC_MAX_PRD,
+ .cmd_per_lun = ATA_SHT_CMD_PER_LUN,
+ .emulated = ATA_SHT_EMULATED,
+ .use_clustering = ATA_SHT_USE_CLUSTERING,
+@@ -531,6 +532,84 @@ static void pdc_atapi_pkt(struct ata_que
+ memcpy(buf+31, cdb, cdb_len);
+ }
+
++/**
++ * pdc_fill_sg - Fill PCI IDE PRD table
++ * @qc: Metadata associated with taskfile to be transferred
++ *
++ * Fill PCI IDE PRD (scatter-gather) table with segments
++ * associated with the current disk command.
++ * Make sure hardware does not choke on it.
++ *
++ * LOCKING:
++ * spin_lock_irqsave(host lock)
++ *
++ */
++static void pdc_fill_sg(struct ata_queued_cmd *qc)
++{
++ struct ata_port *ap = qc->ap;
++ struct scatterlist *sg;
++ unsigned int idx;
++ const u32 SG_COUNT_ASIC_BUG = 41*4;
++
++ if (!(qc->flags & ATA_QCFLAG_DMAMAP))
++ return;
++
++ WARN_ON(qc->__sg == NULL);
++ WARN_ON(qc->n_elem == 0 && qc->pad_len == 0);
++
++ idx = 0;
++ ata_for_each_sg(sg, qc) {
++ u32 addr, offset;
++ u32 sg_len, len;
++
++ /* determine if physical DMA addr spans 64K boundary.
++ * Note h/w doesn't support 64-bit, so we unconditionally
++ * truncate dma_addr_t to u32.
++ */
++ addr = (u32) sg_dma_address(sg);
++ sg_len = sg_dma_len(sg);
++
++ while (sg_len) {
++ offset = addr & 0xffff;
++ len = sg_len;
++ if ((offset + sg_len) > 0x10000)
++ len = 0x10000 - offset;
++
++ ap->prd[idx].addr = cpu_to_le32(addr);
++ ap->prd[idx].flags_len = cpu_to_le32(len & 0xffff);
++ VPRINTK("PRD[%u] = (0x%X, 0x%X)\n", idx, addr, len);
++
++ idx++;
++ sg_len -= len;
++ addr += len;
++ }
++ }
++
++ if (idx) {
++ u32 len = le32_to_cpu(ap->prd[idx - 1].flags_len);
++
++ if (len > SG_COUNT_ASIC_BUG) {
++ u32 addr;
++
++ VPRINTK("Splitting last PRD.\n");
++
++ addr = le32_to_cpu(ap->prd[idx - 1].addr);
++ ap->prd[idx - 1].flags_len = cpu_to_le32(len - SG_COUNT_ASIC_BUG);
++ VPRINTK("PRD[%u] = (0x%X, 0x%X)\n", idx - 1, addr, SG_COUNT_ASIC_BUG);
++
++ addr = addr + len - SG_COUNT_ASIC_BUG;
++ len = SG_COUNT_ASIC_BUG;
++ ap->prd[idx].addr = cpu_to_le32(addr);
++ ap->prd[idx].flags_len = cpu_to_le32(len);
++ VPRINTK("PRD[%u] = (0x%X, 0x%X)\n", idx, addr, len);
++
++ idx++;
++ }
++
++ ap->prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT);
++ }
++}
++
+ static void pdc_qc_prep(struct ata_queued_cmd *qc)
+ {
+ struct pdc_port_priv *pp = qc->ap->private_data;
+@@ -540,7 +619,7 @@ static void pdc_qc_prep(struct ata_queue
+
+ switch (qc->tf.protocol) {
+ case ATA_PROT_DMA:
+- ata_qc_prep(qc);
++ pdc_fill_sg(qc);
+ /* fall through */
+
+ case ATA_PROT_NODATA:
+@@ -556,11 +635,11 @@ static void pdc_qc_prep(struct ata_queue
+ break;
+
+ case ATA_PROT_ATAPI:
+- ata_qc_prep(qc);
++ pdc_fill_sg(qc);
+ break;
+
+ case ATA_PROT_ATAPI_DMA:
+- ata_qc_prep(qc);
++ pdc_fill_sg(qc);
+ /*FALLTHROUGH*/
+ case ATA_PROT_ATAPI_NODATA:
+ pdc_atapi_pkt(qc);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213236.650421404@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:18 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ian Abbott <abbotti@mev.co.uk>
+Subject: [patch 04/23] PCI: Fix fakephp deadlock
+Content-Disposition: inline; filename=pci-fix-fakephp-deadlock.patch
+Content-Length: 4093
+Lines: 137
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+This patch works around a problem in the fakephp driver when a process
+writing "0" to a "power" sysfs file to fake removal of a PCI device ends
+up deadlocking itself in the sysfs code.
+
+The patch is functionally identical to the one in Linus' tree post 2.6.24:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5c796ae7a7ebe56967ed9b9963d7c16d733635ff
+
+I have tested it on a 2.6.22 kernel.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/hotplug/fakephp.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/hotplug/fakephp.c
++++ b/drivers/pci/hotplug/fakephp.c
+@@ -39,6 +39,7 @@
+ #include <linux/init.h>
+ #include <linux/string.h>
+ #include <linux/slab.h>
++#include <linux/workqueue.h>
+ #include "../pci.h"
+
+ #if !defined(MODULE)
+@@ -63,10 +64,16 @@ struct dummy_slot {
+ struct list_head node;
+ struct hotplug_slot *slot;
+ struct pci_dev *dev;
++ struct work_struct remove_work;
++ unsigned long removed;
+ };
+
+ static int debug;
+ static LIST_HEAD(slot_list);
++static struct workqueue_struct *dummyphp_wq;
++
++static void pci_rescan_worker(struct work_struct *work);
++static DECLARE_WORK(pci_rescan_work, pci_rescan_worker);
+
+ static int enable_slot (struct hotplug_slot *slot);
+ static int disable_slot (struct hotplug_slot *slot);
+@@ -109,7 +116,7 @@ static int add_slot(struct pci_dev *dev)
+ slot->name = &dev->dev.bus_id[0];
+ dbg("slot->name = %s\n", slot->name);
+
+- dslot = kmalloc(sizeof(struct dummy_slot), GFP_KERNEL);
++ dslot = kzalloc(sizeof(struct dummy_slot), GFP_KERNEL);
+ if (!dslot)
+ goto error_info;
+
+@@ -164,6 +171,14 @@ static void remove_slot(struct dummy_slo
+ err("Problem unregistering a slot %s\n", dslot->slot->name);
+ }
+
++/* called from the single-threaded workqueue handler to remove a slot */
++static void remove_slot_worker(struct work_struct *work)
++{
++ struct dummy_slot *dslot =
++ container_of(work, struct dummy_slot, remove_work);
++ remove_slot(dslot);
++}
++
+ /**
+ * Rescan slot.
+ * Tries hard not to re-enable already existing devices
+@@ -267,11 +282,17 @@ static inline void pci_rescan(void) {
+ pci_rescan_buses(&pci_root_buses);
+ }
+
++/* called from the single-threaded workqueue handler to rescan all pci buses */
++static void pci_rescan_worker(struct work_struct *work)
++{
++ pci_rescan();
++}
+
+ static int enable_slot(struct hotplug_slot *hotplug_slot)
+ {
+ /* mis-use enable_slot for rescanning of the pci bus */
+- pci_rescan();
++ cancel_work_sync(&pci_rescan_work);
++ queue_work(dummyphp_wq, &pci_rescan_work);
+ return -ENODEV;
+ }
+
+@@ -306,6 +327,10 @@ static int disable_slot(struct hotplug_s
+ err("Can't remove PCI devices with other PCI devices behind it yet.\n");
+ return -ENODEV;
+ }
++ if (test_and_set_bit(0, &dslot->removed)) {
++ dbg("Slot already scheduled for removal\n");
++ return -ENODEV;
++ }
+ /* search for subfunctions and disable them first */
+ if (!(dslot->dev->devfn & 7)) {
+ for (func = 1; func < 8; func++) {
+@@ -328,8 +353,9 @@ static int disable_slot(struct hotplug_s
+ /* remove the device from the pci core */
+ pci_remove_bus_device(dslot->dev);
+
+- /* blow away this sysfs entry and other parts. */
+- remove_slot(dslot);
++ /* queue work item to blow away this sysfs entry and other parts. */
++ INIT_WORK(&dslot->remove_work, remove_slot_worker);
++ queue_work(dummyphp_wq, &dslot->remove_work);
+
+ return 0;
+ }
+@@ -340,6 +366,7 @@ static void cleanup_slots (void)
+ struct list_head *next;
+ struct dummy_slot *dslot;
+
++ destroy_workqueue(dummyphp_wq);
+ list_for_each_safe (tmp, next, &slot_list) {
+ dslot = list_entry (tmp, struct dummy_slot, node);
+ remove_slot(dslot);
+@@ -351,6 +378,10 @@ static int __init dummyphp_init(void)
+ {
+ info(DRIVER_DESC "\n");
+
++ dummyphp_wq = create_singlethread_workqueue(MY_NAME);
++ if (!dummyphp_wq)
++ return -ENOMEM;
++
+ return pci_scan_buses();
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213236.804769722@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:19 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christoph Lameter <clameter@sgi.com>,
+ Dhaval Giani <dhaval@linux.vnet.ibm.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 05/23] quicklists: do not release off node pages early
+Content-Disposition: inline; filename=quicklists-do-not-release-off-node-pages-early.patch
+Content-Length: 1072
+Lines: 44
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Christoph Lameter <clameter@sgi.com>
+
+patch ed367fc3a7349b17354c7acef551533337764859 in mainline.
+
+quicklists must keep even off node pages on the quicklists until the TLB
+flush has been completed.
+
+Signed-off-by: Christoph Lameter <clameter@sgi.com>
+Cc: Dhaval Giani <dhaval@linux.vnet.ibm.com>
+Cc: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ include/linux/quicklist.h | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/include/linux/quicklist.h
++++ b/include/linux/quicklist.h
+@@ -56,14 +56,6 @@ static inline void __quicklist_free(int
+ struct page *page)
+ {
+ struct quicklist *q;
+- int nid = page_to_nid(page);
+-
+- if (unlikely(nid != numa_node_id())) {
+- if (dtor)
+- dtor(p);
+- __free_page(page);
+- return;
+- }
+
+ q = &get_cpu_var(quicklist)[nr];
+ *(void **)p = q->page;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213236.960945159@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:20 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [patch 06/23] NFS: Fix a potential file corruption issue when writing
+Content-Disposition: inline; filename=nfs-fix-a-potential-file-corruption-issue-when-writing.patch
+Content-Length: 2860
+Lines: 83
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline.
+
+If the inode is flagged as having an invalid mapping, then we can't rely on
+the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
+write optimisation in nfs_updatepage(), since that will cause NFS to write
+out areas of the page that are no longer guaranteed to be up to date.
+
+A potential corruption could occur in the following scenario:
+
+client 1 client 2
+=============== ===============
+ fd=open("f",O_CREAT|O_WRONLY,0644);
+ write(fd,"fubar\n",6); // cache last page
+ close(fd);
+fd=open("f",O_WRONLY|O_APPEND);
+write(fd,"foo\n",4);
+close(fd);
+
+ fd=open("f",O_WRONLY|O_APPEND);
+ write(fd,"bar\n",4);
+ close(fd);
+-----
+The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
+client 2 does not update the cached page after re-opening the file for
+write. Instead it keeps it marked as PageUptodate() until someone calls
+invalidate_inode_pages2() (typically by calling read()).
+
+The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84
+"NFS: Separate metadata and page cache revalidation mechanisms"
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/write.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -710,6 +710,17 @@ int nfs_flush_incompatible(struct file *
+ }
+
+ /*
++ * If the page cache is marked as unsafe or invalid, then we can't rely on
++ * the PageUptodate() flag. In this case, we will need to turn off
++ * write optimisations that depend on the page contents being correct.
++ */
++static int nfs_write_pageuptodate(struct page *page, struct inode *inode)
++{
++ return PageUptodate(page) &&
++ !(NFS_I(inode)->cache_validity & (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA));
++}
++
++/*
+ * Update and possibly write a cached page of an NFS file.
+ *
+ * XXX: Keep an eye on generic_file_read to make sure it doesn't do bad
+@@ -730,10 +741,13 @@ int nfs_updatepage(struct file *file, st
+ (long long)(page_offset(page) +offset));
+
+ /* If we're not using byte range locks, and we know the page
+- * is entirely in cache, it may be more efficient to avoid
+- * fragmenting write requests.
++ * is up to date, it may be more efficient to extend the write
++ * to cover the entire page in order to avoid fragmentation
++ * inefficiencies.
+ */
+- if (PageUptodate(page) && inode->i_flock == NULL && !(file->f_mode & O_SYNC)) {
++ if (nfs_write_pageuptodate(page, inode) &&
++ inode->i_flock == NULL &&
++ !(file->f_mode & O_SYNC)) {
+ count = max(count + offset, nfs_page_length(page));
+ offset = 0;
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213237.118468182@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:21 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Lee Schermerhorn <lee.schermerhorn@hp.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>,
+ Jens Axboe <jens.axboe@oracle.com>
+Subject: [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver
+Content-Disposition: inline; filename=cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch
+Content-Length: 3620
+Lines: 88
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+
+mainline: a683d652d334a546be9175b894f42dbd8e399536
+
+New scatter/gather list chaining [sg_next()] treats 'page' member of
+struct scatterlist with low bit set [0x01] as a chain pointer to
+another struct scatterlist [array]. The CCISS driver request function
+passes an uninitialized, temporary, on-stack scatterlist array to
+blk_rq_map_sq(). sg_next() interprets random data on the stack as a
+chain pointer and eventually tries to de-reference an invalid pointer,
+resulting in:
+
+[<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+PGD 6090c3067 PUD 0
+Oops: 0000 [1] SMP
+last sysfs file: /block/cciss!c0d0/cciss!c0d0p1/dev
+CPU 6
+Modules linked in: ehci_hcd ohci_hcd uhci_hcd
+Pid: 1, comm: init Not tainted 2.6.23-rc6-mm1 #3
+RIP: 0010:[<ffffffff8031dd70>] [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+RSP: 0018:ffff81060901f768 EFLAGS: 00010206
+RAX: 000000040b161000 RBX: ffff81060901f7d8 RCX: 000000040b162c00
+RDX: 0000000000000000 RSI: ffff81060b13a260 RDI: ffff81060b139600
+RBP: 0000000000001400 R08: 00000000fffffffe R09: 0000000000000400
+R10: 0000000000000000 R11: 000000040b163000 R12: ffff810102fe0000
+R13: 0000000000000001 R14: 0000000000000001 R15: 00001e0000000000
+FS: 00000000026108f0(0063) GS:ffff810409000b80(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 000000010000001e CR3: 00000006090c6000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process init (pid: 1, threadinfo ffff81060901e000, task ffff810409020800)
+last branch before last exception/interrupt
+from [<ffffffff8031de0a>] blk_rq_map_sg+0x10a/0x170
+to [<ffffffff8031dd70>] blk_rq_map_sg+0x70/0x170
+Stack: 000000018068ea00 ffff810102fe0000 0000000000000000 ffff810011400000
+0000000000000002 0000000000000000 ffff81040b172000 ffffffff803acd3d
+0000000000003ec1 ffff8106090d5000 ffff8106090d5000 ffff810102fe0000
+Call Trace:
+[<ffffffff803acd3d>] do_cciss_request+0x15d/0x4c0
+[<ffffffff80298968>] new_slab+0x1c8/0x270
+[<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
+[<ffffffff8027327b>] mempool_alloc+0x4b/0x130
+[<ffffffff8032b21e>] cfq_set_request+0xee/0x380
+[<ffffffff8027327b>] mempool_alloc+0x4b/0x130
+[<ffffffff8031ff98>] get_request+0x168/0x360
+[<ffffffff80331b0d>] rb_insert_color+0x8d/0x110
+[<ffffffff8031cfd8>] elv_rb_add+0x58/0x60
+[<ffffffff8032a329>] cfq_add_rq_rb+0x69/0xa0
+[<ffffffff8031c1ab>] elv_merged_request+0x5b/0x60
+[<ffffffff803224fd>] __make_request+0x23d/0x650
+[<ffffffff80298ffd>] __slab_alloc+0x22d/0x470
+[<ffffffff80270000>] generic_write_checks+0x140/0x190
+[<ffffffff8031f012>] generic_make_request+0x1c2/0x3a0
+<etc>
+Kernel panic - not syncing: Attempted to kill init!
+
+This patch initializes the tmp_sg array to zeroes. Perhaps not the ultimate
+fix, but an effective work-around. I can now boot 23-rc6-mm1 on an HP
+Proliant x86_64 with CCISS boot disk.
+
+Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -2568,6 +2568,7 @@ static void do_cciss_request(request_que
+ (int)creq->nr_sectors);
+ #endif /* CCISS_DEBUG */
+
++ memset(tmp_sg, 0, sizeof(tmp_sg));
+ seg = blk_rq_map_sg(q, creq, tmp_sg);
+
+ /* get the DMA records for the setup */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213237.278059694@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:22 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Roland McGrath <roland@redhat.com>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 08/23] Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)
+Content-Disposition: inline; filename=handle-bogus-cs-selector-in-single-step-instruction-decoding.patch
+Content-Length: 2618
+Lines: 95
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Roland McGrath <roland@redhat.com>
+
+Handle bogus %cs selector in single-step instruction decoding
+
+mainline: 29eb51101c02df517ca64ec472d7501127ad1da8
+
+The code for LDT segment selectors was not robust in the face of a bogus
+selector set in %cs via ptrace before the single-step was done.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/ptrace.c | 22 +++++++++++++++-------
+ arch/x86_64/kernel/ptrace.c | 23 ++++++++++++++++-------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+--- a/arch/i386/kernel/ptrace.c
++++ b/arch/i386/kernel/ptrace.c
+@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_line
+ u32 *desc;
+ unsigned long base;
+
+- down(&child->mm->context.sem);
+- desc = child->mm->context.ldt + (seg & ~7);
+- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++ seg &= ~7UL;
+
+- /* 16-bit code segment? */
+- if (!((desc[1] >> 22) & 1))
+- addr &= 0xffff;
+- addr += base;
++ down(&child->mm->context.sem);
++ if (unlikely((seg >> 3) >= child->mm->context.size))
++ addr = -1L; /* bogus selector, access would fault */
++ else {
++ desc = child->mm->context.ldt + seg;
++ base = ((desc[0] >> 16) |
++ ((desc[1] & 0xff) << 16) |
++ (desc[1] & 0xff000000));
++
++ /* 16-bit code segment? */
++ if (!((desc[1] >> 22) & 1))
++ addr &= 0xffff;
++ addr += base;
++ }
+ up(&child->mm->context.sem);
+ }
+ return addr;
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(stru
+ u32 *desc;
+ unsigned long base;
+
+- down(&child->mm->context.sem);
+- desc = child->mm->context.ldt + (seg & ~7);
+- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++ seg &= ~7UL;
+
+- /* 16-bit code segment? */
+- if (!((desc[1] >> 22) & 1))
+- addr &= 0xffff;
+- addr += base;
++ down(&child->mm->context.sem);
++ if (unlikely((seg >> 3) >= child->mm->context.size))
++ addr = -1L; /* bogus selector, access would fault */
++ else {
++ desc = child->mm->context.ldt + seg;
++ base = ((desc[0] >> 16) |
++ ((desc[1] & 0xff) << 16) |
++ (desc[1] & 0xff000000));
++
++ /* 16-bit code segment? */
++ if (!((desc[1] >> 22) & 1))
++ addr &= 0xffff;
++ addr += base;
++ }
+ up(&child->mm->context.sem);
+ }
++
+ return addr;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213237.440629308@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:23 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Peter Zijlstra <a.p.zijlstra@chello.nl>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 09/23] i386: fixup TRACE_IRQ breakage (CVE-2007-3731)
+Content-Disposition: inline; filename=i386-fixup-trace_irq-breakage.patch
+Content-Length: 2583
+Lines: 71
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+mainline: a10d9a71bafd3a283da240d2868e71346d2aef6f
+
+The TRACE_IRQS_ON function in iret_exc: calls a C function without
+ensuring that the segments are set properly. Move the trace function and
+the enabling of interrupt into the C stub.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/entry.S | 2 --
+ arch/i386/kernel/traps.c | 10 ++++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/i386/kernel/entry.S
++++ b/arch/i386/kernel/entry.S
+@@ -409,8 +409,6 @@ restore_nocheck_notrace:
+ 1: INTERRUPT_RETURN
+ .section .fixup,"ax"
+ iret_exc:
+- TRACE_IRQS_ON
+- ENABLE_INTERRUPTS(CLBR_NONE)
+ pushl $0 # no error code
+ pushl $do_iret_error
+ jmp error_code
+--- a/arch/i386/kernel/traps.c
++++ b/arch/i386/kernel/traps.c
+@@ -517,10 +517,12 @@ fastcall void do_##name(struct pt_regs *
+ do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
+ }
+
+-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
+ fastcall void do_##name(struct pt_regs * regs, long error_code) \
+ { \
+ siginfo_t info; \
++ if (irq) \
++ local_irq_enable(); \
+ info.si_signo = signr; \
+ info.si_errno = 0; \
+ info.si_code = sicode; \
+@@ -560,13 +562,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
+ #endif
+ DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
+ DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
+-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
++DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
+ DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun)
+ DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(11, SIGBUS, "segment not present", segment_not_present)
+ DO_ERROR(12, SIGBUS, "stack segment", stack_segment)
+-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
+-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
+
+ fastcall void __kprobes do_general_protection(struct pt_regs * regs,
+ long error_code)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213237.596753410@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:24 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Wang Zhenyu <zhenyu.z.wang@intel.com>,
+ Dave Airlie <airlied@redhat.com>,
+ Takashi Iwai <tiwai@suse.de>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 10/23] Intel_agp: really fix 945/965GME
+Content-Disposition: inline; filename=intel_agp-really-fix-945-965gme.patch
+Content-Length: 4651
+Lines: 100
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Wang Zhenyu <zhenyu.z.wang@intel.com>
+
+mainline: dde4787642ee3cb85aef80bdade04b6f8ddc3df8
+
+Fix some missing places to check with device id info, which
+should probe the device gart correctly.
+
+Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/agp/intel-agp.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/agp/intel-agp.c
++++ b/drivers/char/agp/intel-agp.c
+@@ -20,7 +20,9 @@
+ #define PCI_DEVICE_ID_INTEL_82965G_IG 0x29A2
+ #define PCI_DEVICE_ID_INTEL_82965GM_HB 0x2A00
+ #define PCI_DEVICE_ID_INTEL_82965GM_IG 0x2A02
++#define PCI_DEVICE_ID_INTEL_82965GME_HB 0x2A10
+ #define PCI_DEVICE_ID_INTEL_82965GME_IG 0x2A12
++#define PCI_DEVICE_ID_INTEL_82945GME_HB 0x27AC
+ #define PCI_DEVICE_ID_INTEL_82945GME_IG 0x27AE
+ #define PCI_DEVICE_ID_INTEL_G33_HB 0x29C0
+ #define PCI_DEVICE_ID_INTEL_G33_IG 0x29C2
+@@ -33,7 +35,8 @@
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_1_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965Q_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_HB || \
+- agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB)
++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB || \
++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GME_HB)
+
+ #define IS_G33 (agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G33_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_Q35_HB || \
+@@ -527,6 +530,7 @@ static void intel_i830_init_gtt_entries(
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB ||
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB ||
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB ||
++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB ||
+ IS_I965 || IS_G33)
+ gtt_entries = MB(48) - KB(size);
+ else
+@@ -538,6 +542,7 @@ static void intel_i830_init_gtt_entries(
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB ||
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB ||
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB ||
++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB ||
+ IS_I965 || IS_G33)
+ gtt_entries = MB(64) - KB(size);
+ else
+@@ -1848,9 +1853,9 @@ static const struct intel_driver_descrip
+ NULL, &intel_915_driver },
+ { PCI_DEVICE_ID_INTEL_82945G_HB, PCI_DEVICE_ID_INTEL_82945G_IG, 0, "945G",
+ NULL, &intel_915_driver },
+- { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 1, "945GM",
++ { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 0, "945GM",
+ NULL, &intel_915_driver },
+- { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME",
++ { PCI_DEVICE_ID_INTEL_82945GME_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME",
+ NULL, &intel_915_driver },
+ { PCI_DEVICE_ID_INTEL_82946GZ_HB, PCI_DEVICE_ID_INTEL_82946GZ_IG, 0, "946GZ",
+ NULL, &intel_i965_driver },
+@@ -1860,9 +1865,9 @@ static const struct intel_driver_descrip
+ NULL, &intel_i965_driver },
+ { PCI_DEVICE_ID_INTEL_82965G_HB, PCI_DEVICE_ID_INTEL_82965G_IG, 0, "965G",
+ NULL, &intel_i965_driver },
+- { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 1, "965GM",
++ { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 0, "965GM",
+ NULL, &intel_i965_driver },
+- { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE",
++ { PCI_DEVICE_ID_INTEL_82965GME_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE",
+ NULL, &intel_i965_driver },
+ { PCI_DEVICE_ID_INTEL_7505_0, 0, 0, "E7505", &intel_7505_driver, NULL },
+ { PCI_DEVICE_ID_INTEL_7205_0, 0, 0, "E7205", &intel_7505_driver, NULL },
+@@ -2051,11 +2056,13 @@ static struct pci_device_id agp_intel_pc
+ ID(PCI_DEVICE_ID_INTEL_82915GM_HB),
+ ID(PCI_DEVICE_ID_INTEL_82945G_HB),
+ ID(PCI_DEVICE_ID_INTEL_82945GM_HB),
++ ID(PCI_DEVICE_ID_INTEL_82945GME_HB),
+ ID(PCI_DEVICE_ID_INTEL_82946GZ_HB),
+ ID(PCI_DEVICE_ID_INTEL_82965G_1_HB),
+ ID(PCI_DEVICE_ID_INTEL_82965Q_HB),
+ ID(PCI_DEVICE_ID_INTEL_82965G_HB),
+ ID(PCI_DEVICE_ID_INTEL_82965GM_HB),
++ ID(PCI_DEVICE_ID_INTEL_82965GME_HB),
+ ID(PCI_DEVICE_ID_INTEL_G33_HB),
+ ID(PCI_DEVICE_ID_INTEL_Q35_HB),
+ ID(PCI_DEVICE_ID_INTEL_Q33_HB),
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:37 2008
+Message-Id: <20080222213237.756265443@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:25 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Kees Cook <kees@ubuntu.com>,
+ Corey Minyard <minyard@acm.org>,
+ David Woodhouse <dwmw2@infradead.org>,
+ Jeff Garzik <jeff@garzik.org>,
+ Greg KH <greg@kroah.com>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 11/23] pci: fix unterminated pci_device_id lists
+Content-Disposition: inline; filename=pci-fix-unterminated-pci_device_id-lists.patch
+Content-Length: 2558
+Lines: 69
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Kees Cook <kees@ubuntu.com>
+
+mainline: 248bdd5efca5a113cbf443a993c69e53d370236b
+
+Fix a couple drivers that do not correctly terminate their pci_device_id
+lists. This results in garbage being spewed into modules.pcimap when the
+module happens to not have 28 NULL bytes following the table, and/or the
+last PCI ID is actually truncated from the table when calculating the
+modules.alias PCI aliases, cause those unfortunate device IDs to not
+auto-load.
+
+Signed-off-by: Kees Cook <kees@ubuntu.com>
+Acked-by: Corey Minyard <minyard@acm.org>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Acked-by: Jeff Garzik <jeff@garzik.org>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 3 ++-
+ drivers/media/video/usbvision/usbvision-cards.c | 1 +
+ drivers/mtd/nand/cafe_nand.c | 3 ++-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2214,7 +2214,8 @@ static int ipmi_pci_resume(struct pci_de
+
+ static struct pci_device_id ipmi_pci_devices[] = {
+ { PCI_DEVICE(PCI_HP_VENDOR_ID, PCI_MMC_DEVICE_ID) },
+- { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) }
++ { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) },
++ { 0, }
+ };
+ MODULE_DEVICE_TABLE(pci, ipmi_pci_devices);
+
+--- a/drivers/media/video/usbvision/usbvision-cards.c
++++ b/drivers/media/video/usbvision/usbvision-cards.c
+@@ -1081,6 +1081,7 @@ struct usb_device_id usbvision_table []
+ { USB_DEVICE(0x2304, 0x0301), .driver_info=PINNA_LINX_VD_IN_CAB_PAL },
+ { USB_DEVICE(0x2304, 0x0419), .driver_info=PINNA_PCTV_BUNGEE_PAL_FM },
+ { USB_DEVICE(0x2400, 0x4200), .driver_info=HPG_WINTV },
++ { }, /* terminate list */
+ };
+
+ MODULE_DEVICE_TABLE (usb, usbvision_table);
+--- a/drivers/mtd/nand/cafe_nand.c
++++ b/drivers/mtd/nand/cafe_nand.c
+@@ -816,7 +816,8 @@ static void __devexit cafe_nand_remove(s
+ }
+
+ static struct pci_device_id cafe_nand_tbl[] = {
+- { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 }
++ { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 },
++ { 0, }
+ };
+
+ MODULE_DEVICE_TABLE(pci, cafe_nand_tbl);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213237.911397799@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:26 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Mattia Dongili <malattia@linux.it>,
+ Len Brown <len.brown@intel.com>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 12/23] sony-laptop: call sonypi_compat_init earlier
+Content-Disposition: inline; filename=sony-laptop-call-sonypi_compat_init-earlier.patch
+Content-Length: 2220
+Lines: 84
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Mattia Dongili <malattia@linux.it>
+
+mainline: 015a916fbbf105bb15f4bbfd80c3b9b2f2e0d7db
+
+sonypi_compat uses a kfifo that needs to be present before _SRS is
+called to be able to cope with the IRQs triggered when setting
+resources.
+
+Signed-off-by: Mattia Dongili <malattia@linux.it>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sony-laptop.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/misc/sony-laptop.c
++++ b/drivers/misc/sony-laptop.c
+@@ -2056,8 +2056,6 @@ static int sony_pic_remove(struct acpi_d
+ struct sony_pic_ioport *io, *tmp_io;
+ struct sony_pic_irq *irq, *tmp_irq;
+
+- sonypi_compat_exit();
+-
+ if (sony_pic_disable(device)) {
+ printk(KERN_ERR DRV_PFX "Couldn't disable device.\n");
+ return -ENXIO;
+@@ -2067,6 +2065,8 @@ static int sony_pic_remove(struct acpi_d
+ release_region(spic_dev.cur_ioport->io.minimum,
+ spic_dev.cur_ioport->io.address_length);
+
++ sonypi_compat_exit();
++
+ sony_laptop_remove_input();
+
+ /* pf attrs */
+@@ -2132,6 +2132,9 @@ static int sony_pic_add(struct acpi_devi
+ goto err_free_resources;
+ }
+
++ if (sonypi_compat_init())
++ goto err_remove_input;
++
+ /* request io port */
+ list_for_each_entry(io, &spic_dev.ioports, list) {
+ if (request_region(io->io.minimum, io->io.address_length,
+@@ -2146,7 +2149,7 @@ static int sony_pic_add(struct acpi_devi
+ if (!spic_dev.cur_ioport) {
+ printk(KERN_ERR DRV_PFX "Failed to request_region.\n");
+ result = -ENODEV;
+- goto err_remove_input;
++ goto err_remove_compat;
+ }
+
+ /* request IRQ */
+@@ -2186,9 +2189,6 @@ static int sony_pic_add(struct acpi_devi
+ if (result)
+ goto err_remove_pf;
+
+- if (sonypi_compat_init())
+- goto err_remove_pf;
+-
+ return 0;
+
+ err_remove_pf:
+@@ -2204,6 +2204,9 @@ err_release_region:
+ release_region(spic_dev.cur_ioport->io.minimum,
+ spic_dev.cur_ioport->io.address_length);
+
++err_remove_compat:
++ sonypi_compat_exit();
++
+ err_remove_input:
+ sony_laptop_remove_input();
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213238.071274614@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:27 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@linux-foundation.org>,
+ "David S. Miller" <davem@davemloft.net>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 13/23] VIA_VELOCITY: Dont oops on MTU change.
+Content-Disposition: inline; filename=via_velocity-don-t-oops-on-mtu-change.patch
+Content-Length: 939
+Lines: 38
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+mainline: bd7b3f34198071d8bec05180530c362f1800ba46
+
+Simple mtu change when device is down.
+Fix http://bugzilla.kernel.org/show_bug.cgi?id=9382.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/via-velocity.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/via-velocity.c
++++ b/drivers/net/via-velocity.c
+@@ -1798,6 +1798,11 @@ static int velocity_change_mtu(struct ne
+ return -EINVAL;
+ }
+
++ if (!netif_running(dev)) {
++ dev->mtu = new_mtu;
++ return 0;
++ }
++
+ if (new_mtu != oldmtu) {
+ spin_lock_irqsave(&vptr->lock, flags);
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213238.227078214@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:28 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@linux-foundation.org>,
+ Jeff Garzik <jeff@garzik.org>,
+ Jeff Mahoney <jeffm@suse.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 14/23] via-velocity: dont oops on MTU change (resend)
+Content-Disposition: inline; filename=via-velocity-don-t-oops-on-mtu-change.patch
+Content-Length: 1840
+Lines: 61
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+mainline: 48f6b053613b62fed7a2fe3255e5568260a8d615
+
+The VIA veloicty driver needs the following to allow changing MTU when down.
+The buffer size needs to be computed when device is brought up, not when
+device is initialized. This also fixes a bug where the buffer size was
+computed differently on change_mtu versus initial setting.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/via-velocity.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/via-velocity.c
++++ b/drivers/net/via-velocity.c
+@@ -1075,6 +1075,9 @@ static int velocity_init_rd_ring(struct
+ int ret = -ENOMEM;
+ unsigned int rsize = sizeof(struct velocity_rd_info) *
+ vptr->options.numrx;
++ int mtu = vptr->dev->mtu;
++
++ vptr->rx_buf_sz = (mtu <= ETH_DATA_LEN) ? PKT_BUF_SZ : mtu + 32;
+
+ vptr->rd_info = kmalloc(rsize, GFP_KERNEL);
+ if(vptr->rd_info == NULL)
+@@ -1733,8 +1736,6 @@ static int velocity_open(struct net_devi
+ struct velocity_info *vptr = netdev_priv(dev);
+ int ret;
+
+- vptr->rx_buf_sz = (dev->mtu <= 1504 ? PKT_BUF_SZ : dev->mtu + 32);
+-
+ ret = velocity_init_rings(vptr);
+ if (ret < 0)
+ goto out;
+@@ -1813,12 +1814,6 @@ static int velocity_change_mtu(struct ne
+ velocity_free_rd_ring(vptr);
+
+ dev->mtu = new_mtu;
+- if (new_mtu > 8192)
+- vptr->rx_buf_sz = 9 * 1024;
+- else if (new_mtu > 4096)
+- vptr->rx_buf_sz = 8192;
+- else
+- vptr->rx_buf_sz = 4 * 1024;
+
+ ret = velocity_init_rd_ring(vptr);
+ if (ret < 0)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213238.383324120@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:29 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Roland <devzero@web.de>,
+ Andreas Gruenbacher <agruen@suse.de>,
+ "J. Bruce Fields" <bfields@citi.umich.edu>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 15/23] knfsd: fix spurious EINVAL errors on first access of new filesystem
+Content-Disposition: inline; filename=knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch
+Content-Length: 1765
+Lines: 55
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+mainline: ac8587dcb58e40dd336d99d60f852041e06cc3dd
+
+The v2/v3 acl code in nfsd is translating any return from fh_verify() to
+nfserr_inval. This is particularly unfortunate in the case of an
+nfserr_dropit return, which is an internal error meant to indicate to
+callers that this request has been deferred and should just be dropped
+pending the results of an upcall to mountd.
+
+Thanks to Roland <devzero@web.de> for bug report and data collection.
+
+Cc: Roland <devzero@web.de>
+Acked-by: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Reviewed-By: NeilBrown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs2acl.c | 2 +-
+ fs/nfsd/nfs3acl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -41,7 +41,7 @@ static __be32 nfsacld_proc_getacl(struct
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+ if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+- RETURN_STATUS(nfserr_inval);
++ RETURN_STATUS(nfserr);
+
+ if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+ RETURN_STATUS(nfserr_inval);
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -37,7 +37,7 @@ static __be32 nfsd3_proc_getacl(struct s
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+ if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+- RETURN_STATUS(nfserr_inval);
++ RETURN_STATUS(nfserr);
+
+ if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+ RETURN_STATUS(nfserr_inval);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213238.543292635@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:30 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>,
+ Neil Brown <neilb@suse.de>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 16/23] NFS: Fix nfs_reval_fsid()
+Content-Disposition: inline; filename=nfs-fix-nfs_reval_fsid.patch
+Content-Length: 1996
+Lines: 67
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+mainline: a0356862bcbeb20acf64bc1a82d28a4c5bb957a7
+
+We don't need to revalidate the fsid on the root directory. It suffices to
+revalidate it on the current directory.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Acked-by: Neil Brown <neilb@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c | 9 ++++-----
+ fs/nfs/inode.c | 4 ++--
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -897,14 +897,13 @@ int nfs_is_exclusive_create(struct inode
+ return (nd->intent.open.flags & O_EXCL) != 0;
+ }
+
+-static inline int nfs_reval_fsid(struct vfsmount *mnt, struct inode *dir,
+- struct nfs_fh *fh, struct nfs_fattr *fattr)
++static inline int nfs_reval_fsid(struct inode *dir, const struct nfs_fattr *fattr)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+
+ if (!nfs_fsid_equal(&server->fsid, &fattr->fsid))
+- /* Revalidate fsid on root dir */
+- return __nfs_revalidate_inode(server, mnt->mnt_root->d_inode);
++ /* Revalidate fsid using the parent directory */
++ return __nfs_revalidate_inode(server, dir);
+ return 0;
+ }
+
+@@ -946,7 +945,7 @@ static struct dentry *nfs_lookup(struct
+ res = ERR_PTR(error);
+ goto out_unlock;
+ }
+- error = nfs_reval_fsid(nd->mnt, dir, &fhandle, &fattr);
++ error = nfs_reval_fsid(dir, &fattr);
+ if (error < 0) {
+ res = ERR_PTR(error);
+ goto out_unlock;
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -961,8 +961,8 @@ static int nfs_update_inode(struct inode
+ goto out_changed;
+
+ server = NFS_SERVER(inode);
+- /* Update the fsid if and only if this is the root directory */
+- if (inode == inode->i_sb->s_root->d_inode
++ /* Update the fsid? */
++ if (S_ISDIR(inode->i_mode)
+ && !nfs_fsid_equal(&server->fsid, &fattr->fsid))
+ server->fsid = fattr->fsid;
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:38 2008
+Message-Id: <20080222213238.697049816@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:31 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Neil Brown <neilb@suse.de>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 17/23] NFSv2/v3: Fix a memory leak when using -onolock
+Content-Disposition: inline; filename=nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch
+Content-Length: 1775
+Lines: 61
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+
+mainline: 5cef338b30c110daf547fb13d99f0c77f2a79fbc
+
+ Neil Brown said:
+ > Hi Trond,
+ >
+ > We found that a machine which made moderately heavy use of
+ > 'automount' was leaking some nfs data structures - particularly the
+ > 4K allocated by rpc_alloc_iostats.
+ > It turns out that this only happens with filesystems with -onolock
+ > set.
+
+ > The problem is that if NFS_MOUNT_NONLM is set, nfs_start_lockd doesn't
+ > set server->destroy, so when the filesystem is unmounted, the
+ > ->client_acl is not shutdown, and so several resources are still
+ > held. Multiple mount/umount cycles will slowly eat away memory
+ > several pages at a time.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+Acked-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Neil Brown <neilb@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/nfs/client.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -433,9 +433,6 @@ static int nfs_create_rpc_client(struct
+ */
+ static void nfs_destroy_server(struct nfs_server *server)
+ {
+- if (!IS_ERR(server->client_acl))
+- rpc_shutdown_client(server->client_acl);
+-
+ if (!(server->flags & NFS_MOUNT_NONLM))
+ lockd_down(); /* release rpc.lockd */
+ }
+@@ -781,6 +778,9 @@ void nfs_free_server(struct nfs_server *
+
+ if (server->destroy != NULL)
+ server->destroy(server);
++
++ if (!IS_ERR(server->client_acl))
++ rpc_shutdown_client(server->client_acl);
+ if (!IS_ERR(server->client))
+ rpc_shutdown_client(server->client);
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213238.858684045@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:32 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>,
+ Neil Brown <neilb@suse.de>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 18/23] NFS: Fix an Oops in encode_lookup()
+Content-Disposition: inline; filename=nfs-fix-an-oops-in-encode_lookup.patch
+Content-Length: 3809
+Lines: 120
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+mainline: 54af3bb543c071769141387a42deaaab5074da55
+
+It doesn't look as if the NFS file name limit is being initialised correctly
+in the struct nfs_server. Make sure that we limit whatever is being set in
+nfs_probe_fsinfo() and nfs_init_server().
+
+Also ensure that readdirplus and nfs4_path_walk respect our file name
+limits.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Neil Brown <neilb@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/client.c | 29 +++++++++++++++++++----------
+ fs/nfs/dir.c | 2 ++
+ fs/nfs/getroot.c | 3 +++
+ 3 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -611,16 +611,6 @@ static int nfs_init_server(struct nfs_se
+ server->namelen = data->namlen;
+ /* Create a client RPC handle for the NFSv3 ACL management interface */
+ nfs_init_server_aclclient(server);
+- if (clp->cl_nfsversion == 3) {
+- if (server->namelen == 0 || server->namelen > NFS3_MAXNAMLEN)
+- server->namelen = NFS3_MAXNAMLEN;
+- if (!(data->flags & NFS_MOUNT_NORDIRPLUS))
+- server->caps |= NFS_CAP_READDIRPLUS;
+- } else {
+- if (server->namelen == 0 || server->namelen > NFS2_MAXNAMLEN)
+- server->namelen = NFS2_MAXNAMLEN;
+- }
+-
+ dprintk("<-- nfs_init_server() = 0 [new %p]\n", clp);
+ return 0;
+
+@@ -820,6 +810,16 @@ struct nfs_server *nfs_create_server(con
+ error = nfs_probe_fsinfo(server, mntfh, &fattr);
+ if (error < 0)
+ goto error;
++ if (server->nfs_client->rpc_ops->version == 3) {
++ if (server->namelen == 0 || server->namelen > NFS3_MAXNAMLEN)
++ server->namelen = NFS3_MAXNAMLEN;
++ if (!(data->flags & NFS_MOUNT_NORDIRPLUS))
++ server->caps |= NFS_CAP_READDIRPLUS;
++ } else {
++ if (server->namelen == 0 || server->namelen > NFS2_MAXNAMLEN)
++ server->namelen = NFS2_MAXNAMLEN;
++ }
++
+ if (!(fattr.valid & NFS_ATTR_FATTR)) {
+ error = server->nfs_client->rpc_ops->getattr(server, mntfh, &fattr);
+ if (error < 0) {
+@@ -1010,6 +1010,9 @@ struct nfs_server *nfs4_create_server(co
+ if (error < 0)
+ goto error;
+
++ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++ server->namelen = NFS4_MAXNAMLEN;
++
+ BUG_ON(!server->nfs_client);
+ BUG_ON(!server->nfs_client->rpc_ops);
+ BUG_ON(!server->nfs_client->rpc_ops->file_inode_ops);
+@@ -1082,6 +1085,9 @@ struct nfs_server *nfs4_create_referral_
+ if (error < 0)
+ goto error;
+
++ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++ server->namelen = NFS4_MAXNAMLEN;
++
+ dprintk("Referral FSID: %llx:%llx\n",
+ (unsigned long long) server->fsid.major,
+ (unsigned long long) server->fsid.minor);
+@@ -1141,6 +1147,9 @@ struct nfs_server *nfs_clone_server(stru
+ if (error < 0)
+ goto out_free_server;
+
++ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++ server->namelen = NFS4_MAXNAMLEN;
++
+ dprintk("Cloned FSID: %llx:%llx\n",
+ (unsigned long long) server->fsid.major,
+ (unsigned long long) server->fsid.minor);
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1162,6 +1162,8 @@ static struct dentry *nfs_readdir_lookup
+ }
+ if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
+ return NULL;
++ if (name.len > NFS_SERVER(dir)->namelen)
++ return NULL;
+ /* Note: caller is already holding the dir->i_mutex! */
+ dentry = d_alloc(parent, &name);
+ if (dentry == NULL)
+--- a/fs/nfs/getroot.c
++++ b/fs/nfs/getroot.c
+@@ -175,6 +175,9 @@ next_component:
+ path++;
+ name.len = path - (const char *) name.name;
+
++ if (name.len > NFS4_MAXNAMLEN)
++ return -ENAMETOOLONG;
++
+ eat_dot_dir:
+ while (*path == '/')
+ path++;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213239.017011221@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:33 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "J. Bruce Fields" <bfields@citi.umich.edu>,
+ Andreas Gruenbacher <agruen@suse.de>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 19/23] knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME
+Content-Disposition: inline; filename=knfsd-query-filesystem-for-nfsv4-getattr-of-fattr4_maxname.patch
+Content-Length: 1314
+Lines: 43
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+mainline: a16e92edcd0a2846455a30823e1bac964e743baa
+
+Without this we always return 2^32-1 as the the maximum namelength.
+
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4xdr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1453,7 +1453,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
+ err = vfs_getattr(exp->ex_mnt, dentry, &stat);
+ if (err)
+ goto out_nfserr;
+- if ((bmval0 & (FATTR4_WORD0_FILES_FREE | FATTR4_WORD0_FILES_TOTAL)) ||
++ if ((bmval0 & (FATTR4_WORD0_FILES_FREE | FATTR4_WORD0_FILES_TOTAL |
++ FATTR4_WORD0_MAXNAME)) ||
+ (bmval1 & (FATTR4_WORD1_SPACE_AVAIL | FATTR4_WORD1_SPACE_FREE |
+ FATTR4_WORD1_SPACE_TOTAL))) {
+ err = vfs_statfs(dentry, &statfs);
+@@ -1699,7 +1700,7 @@ out_acl:
+ if (bmval0 & FATTR4_WORD0_MAXNAME) {
+ if ((buflen -= 4) < 0)
+ goto out_resource;
+- WRITE32(~(u32) 0);
++ WRITE32(statfs.f_namelen);
+ }
+ if (bmval0 & FATTR4_WORD0_MAXREAD) {
+ if ((buflen -= 8) < 0)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213239.176383572@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:34 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christoph Lameter <clameter@sgi.com>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL
+Content-Disposition: inline; filename=quicklists-only-consider-memory-that-can-be-used-with-gfp_kernel.patch
+Content-Length: 1688
+Lines: 52
+
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Christoph Lameter <clameter@sgi.com>
+
+Subject: [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL
+
+patch 96990a4ae979df9e235d01097d6175759331e88c in mainline.
+
+Quicklists calculates the size of the quicklists based on the number of
+free pages. This must be the number of free pages that can be allocated
+with GFP_KERNEL. node_page_state() includes the pages in ZONE_HIGHMEM and
+ZONE_MOVABLE which may lead the quicklists to become too large causing OOM.
+
+Signed-off-by: Christoph Lameter <clameter@sgi.com>
+Tested-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
+
+---
+ mm/quicklist.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/mm/quicklist.c
++++ b/mm/quicklist.c
+@@ -26,9 +26,17 @@ DEFINE_PER_CPU(struct quicklist, quickli
+ static unsigned long max_pages(unsigned long min_pages)
+ {
+ unsigned long node_free_pages, max;
++ struct zone *zones = NODE_DATA(numa_node_id())->node_zones;
++
++ node_free_pages =
++#ifdef CONFIG_ZONE_DMA
++ zone_page_state(&zones[ZONE_DMA], NR_FREE_PAGES) +
++#endif
++#ifdef CONFIG_ZONE_DMA32
++ zone_page_state(&zones[ZONE_DMA32], NR_FREE_PAGES) +
++#endif
++ zone_page_state(&zones[ZONE_NORMAL], NR_FREE_PAGES);
+
+- node_free_pages = node_page_state(numa_node_id(),
+- NR_FREE_PAGES);
+ max = node_free_pages / FRACTION_OF_NODE_MEM;
+ return max(max, min_pages);
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213239.332152461@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:35 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jonathan Corbet <corbet@lwn.net>,
+ Oliver Pinter <oliver.pntr@gmail.com>
+Subject: [patch 21/23] Be more robust about bad arguments in get_user_pages()
+Content-Disposition: inline; filename=be-more-robust-about-bad-arguments-in-get_user_pages.patch
+Content-Length: 1758
+Lines: 51
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+MAINLINE: 900cf086fd2fbad07f72f4575449e0d0958f860f
+
+So I spent a while pounding my head against my monitor trying to figure
+out the vmsplice() vulnerability - how could a failure to check for
+*read* access turn into a root exploit? It turns out that it's a buffer
+overflow problem which is made easy by the way get_user_pages() is
+coded.
+
+In particular, "len" is a signed int, and it is only checked at the
+*end* of a do {} while() loop. So, if it is passed in as zero, the loop
+will execute once and decrement len to -1. At that point, the loop will
+proceed until the next invalid address is found; in the process, it will
+likely overflow the pages array passed in to get_user_pages().
+
+I think that, if get_user_pages() has been asked to grab zero pages,
+that's what it should do. Thus this patch; it is, among other things,
+enough to block the (already fixed) root exploit and any others which
+might be lurking in similar code. I also think that the number of pages
+should be unsigned, but changing the prototype of this function probably
+requires some more careful review.
+
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Oliver Pinter <oliver.pntr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -983,6 +983,8 @@ int get_user_pages(struct task_struct *t
+ int i;
+ unsigned int vm_flags;
+
++ if (len <= 0)
++ return 0;
+ /*
+ * Require read or write permissions.
+ * If 'force' is set, we only require the "MAY" flags.
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213239.489042583@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:36 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tony Battersby <tonyb@cybernetics.com>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>
+Subject: [patch 22/23] SCSI: sd: handle bad lba in sense information
+Content-Disposition: inline; filename=scsi-sd-handle-bad-lba-in-sense-information.patch
+Content-Length: 2276
+Lines: 78
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline.
+
+Some devices report medium error locations incorrectly. Add guards to
+make sure the reported bad lba is actually in the request that caused
+it. Additionally remove the large case statment for sector sizes and
+replace it with the proper u64 divisions.
+
+Tested-by: Mike Snitzer <snitzer@gmail.com>
+Cc: Stable Tree <stable@kernel.org>
+Cc: Tony Battersby <tonyb@cybernetics.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/sd.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -895,6 +895,7 @@ static void sd_rw_intr(struct scsi_cmnd
+ unsigned int xfer_size = SCpnt->request_bufflen;
+ unsigned int good_bytes = result ? 0 : xfer_size;
+ u64 start_lba = SCpnt->request->sector;
++ u64 end_lba = SCpnt->request->sector + (xfer_size / 512);
+ u64 bad_lba;
+ struct scsi_sense_hdr sshdr;
+ int sense_valid = 0;
+@@ -933,26 +934,23 @@ static void sd_rw_intr(struct scsi_cmnd
+ goto out;
+ if (xfer_size <= SCpnt->device->sector_size)
+ goto out;
+- switch (SCpnt->device->sector_size) {
+- case 256:
++ if (SCpnt->device->sector_size < 512) {
++ /* only legitimate sector_size here is 256 */
+ start_lba <<= 1;
+- break;
+- case 512:
+- break;
+- case 1024:
+- start_lba >>= 1;
+- break;
+- case 2048:
+- start_lba >>= 2;
+- break;
+- case 4096:
+- start_lba >>= 3;
+- break;
+- default:
+- /* Print something here with limiting frequency. */
+- goto out;
+- break;
++ end_lba <<= 1;
++ } else {
++ /* be careful ... don't want any overflows */
++ u64 factor = SCpnt->device->sector_size / 512;
++ do_div(start_lba, factor);
++ do_div(end_lba, factor);
+ }
++
++ if (bad_lba < start_lba || bad_lba >= end_lba)
++ /* the bad lba was reported incorrectly, we have
++ * no idea where the error is
++ */
++ goto out;
++
+ /* This computation should always be done in terms of
+ * the resolution of the device's medium.
+ */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:39 2008
+Message-Id: <20080222213239.644983352@mini.kroah.org>
+References: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:37 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>,
+ "David S. Miller" <davem@davemloft.net>,
+ Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
+ Patrick McHardy <kaber@trash.net>
+Subject: [patch 23/23] NETFILTER: nf_conntrack_tcp: conntrack reopening fix
+Content-Disposition: inline; filename=netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch
+Content-Length: 4074
+Lines: 109
+
+2.6.22-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+[NETFILTER]: nf_conntrack_tcp: conntrack reopening fix
+
+[Upstream commits b2155e7f + d0c1fd7a]
+
+TCP connection tracking in netfilter did not handle TCP reopening
+properly: active close was taken into account for one side only and
+not for any side, which is fixed now. The patch includes more comments
+to explain the logic how the different cases are handled.
+The bug was discovered by Jeff Chua.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 35 +++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -143,7 +143,7 @@ enum tcp_bit_set {
+ * CLOSE_WAIT: ACK seen (after FIN)
+ * LAST_ACK: FIN seen (after FIN)
+ * TIME_WAIT: last ACK seen
+- * CLOSE: closed connection
++ * CLOSE: closed connection (RST)
+ *
+ * LISTEN state is not used.
+ *
+@@ -842,8 +842,21 @@ static int tcp_packet(struct nf_conn *co
+ case TCP_CONNTRACK_SYN_SENT:
+ if (old_state < TCP_CONNTRACK_TIME_WAIT)
+ break;
+- if ((conntrack->proto.tcp.seen[!dir].flags &
+- IP_CT_TCP_FLAG_CLOSE_INIT)
++ /* RFC 1122: "When a connection is closed actively,
++ * it MUST linger in TIME-WAIT state for a time 2xMSL
++ * (Maximum Segment Lifetime). However, it MAY accept
++ * a new SYN from the remote TCP to reopen the connection
++ * directly from TIME-WAIT state, if..."
++ * We ignore the conditions because we are in the
++ * TIME-WAIT state anyway.
++ *
++ * Handle aborted connections: we and the server
++ * think there is an existing connection but the client
++ * aborts it and starts a new one.
++ */
++ if (((conntrack->proto.tcp.seen[dir].flags
++ | conntrack->proto.tcp.seen[!dir].flags)
++ & IP_CT_TCP_FLAG_CLOSE_INIT)
+ || (conntrack->proto.tcp.last_dir == dir
+ && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
+ /* Attempt to reopen a closed/aborted connection.
+@@ -856,18 +869,25 @@ static int tcp_packet(struct nf_conn *co
+ }
+ /* Fall through */
+ case TCP_CONNTRACK_IGNORE:
+- /* Ignored packets:
++ /* Ignored packets:
++ *
++ * Our connection entry may be out of sync, so ignore
++ * packets which may signal the real connection between
++ * the client and the server.
+ *
+ * a) SYN in ORIGINAL
+ * b) SYN/ACK in REPLY
+ * c) ACK in reply direction after initial SYN in original.
++ *
++ * If the ignored packet is invalid, the receiver will send
++ * a RST we'll catch below.
+ */
+ if (index == TCP_SYNACK_SET
+ && conntrack->proto.tcp.last_index == TCP_SYN_SET
+ && conntrack->proto.tcp.last_dir != dir
+ && ntohl(th->ack_seq) ==
+ conntrack->proto.tcp.last_end) {
+- /* This SYN/ACK acknowledges a SYN that we earlier
++ /* b) This SYN/ACK acknowledges a SYN that we earlier
+ * ignored as invalid. This means that the client and
+ * the server are both in sync, while the firewall is
+ * not. We kill this session and block the SYN/ACK so
+@@ -892,7 +912,7 @@ static int tcp_packet(struct nf_conn *co
+ write_unlock_bh(&tcp_lock);
+ if (LOG_INVALID(IPPROTO_TCP))
+ nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+- "nf_ct_tcp: invalid packed ignored ");
++ "nf_ct_tcp: invalid packet ignored ");
+ return NF_ACCEPT;
+ case TCP_CONNTRACK_MAX:
+ /* Invalid packet */
+@@ -948,8 +968,7 @@ static int tcp_packet(struct nf_conn *co
+
+ conntrack->proto.tcp.state = new_state;
+ if (old_state != new_state
+- && (new_state == TCP_CONNTRACK_FIN_WAIT
+- || new_state == TCP_CONNTRACK_CLOSE))
++ && new_state == TCP_CONNTRACK_FIN_WAIT)
+ conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+ timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
+ && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 13:32:36 2008
+Message-Id: <20080222213114.583282464@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 13:31:14 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/23] 2.6.22-stable review
+Content-Length: 2588
+Lines: 51
+
+This is the start of the stable review cycle for the 2.6.22.19 release.
+There are 23 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a Signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the
+Cc: line. If you wish to be a reviewer, please email stable@kernel.org
+to add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Monday, Feb 24, 2008, 22:00:00 UTC.
+Anything received after that time might be too late.
+
+The whole patch series can be found in one patch at:
+ kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.22.19-rc1.gz
+and the diffstat can be found below.
+
+thanks,
+
+greg k-h
+
+-----------
+ Makefile | 2
+ arch/i386/kernel/entry.S | 2
+ arch/i386/kernel/ptrace.c | 22 +++--
+ arch/i386/kernel/traps.c | 10 +-
+ arch/x86_64/kernel/ptrace.c | 23 ++++--
+ drivers/ata/sata_promise.c | 91 ++++++++++++++++++++++--
+ drivers/block/cciss.c | 6 +
+ drivers/char/agp/intel-agp.c | 17 +++-
+ drivers/char/ipmi/ipmi_si_intf.c | 3
+ drivers/media/video/usbvision/usbvision-cards.c | 1
+ drivers/misc/sony-laptop.c | 15 ++-
+ drivers/mtd/nand/cafe_nand.c | 3
+ drivers/net/via-velocity.c | 16 ++--
+ drivers/pci/hotplug/fakephp.c | 39 +++++++++-
+ drivers/scsi/sd.c | 34 ++++----
+ fs/nfs/client.c | 35 +++++----
+ fs/nfs/dir.c | 11 +-
+ fs/nfs/getroot.c | 3
+ fs/nfs/inode.c | 4 -
+ fs/nfs/write.c | 20 ++++-
+ fs/nfsd/nfs2acl.c | 2
+ fs/nfsd/nfs3acl.c | 2
+ fs/nfsd/nfs4xdr.c | 5 -
+ include/linux/quicklist.h | 8 --
+ mm/memory.c | 2
+ mm/quicklist.c | 12 ++-
+ net/netfilter/nf_conntrack_proto_tcp.c | 33 ++++++--
+ 27 files changed, 306 insertions(+), 115 deletions(-)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
