--- /dev/null
+From gregkh@mini.kroah.org Fri Feb 22 16:20:41 2008
+Message-Id: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:46 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/38] 2.6.24-stable review
+Status: RO
+Content-Length: 3558
+Lines: 72
+
+This is the start of the stable review cycle for the 2.6.24.3 release.
+There are 38 patches in this series, all will be posted as a response
+to this one. If anyone has any issues with these being applied, please
+let us know. If anyone is a maintainer of the proper subsystem, and
+wants to add a Signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the
+Cc: line. If you wish to be a reviewer, please email stable@kernel.org
+to add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Tuesday, Feb 25, 2008, 00:10:00 UTC.
+Anything received after that time might be too late.
+
+The whole patch series can be found in one patch at:
+ kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.24.3-rc1.gz
+and the diffstat can be found below.
+
+
+thanks,
+
+greg k-h
+
+ Makefile | 9 +-
+ arch/powerpc/platforms/chrp/pci.c | 4 -
+ arch/powerpc/platforms/powermac/feature.c | 11 +++
+ arch/s390/lib/uaccess_std.c | 8 +-
+ arch/sparc/lib/rwsem.S | 2
+ arch/sparc64/lib/rwsem.S | 2
+ arch/x86/mm/pageattr_64.c | 2
+ drivers/macintosh/smu.c | 25 +++++++
+ drivers/net/bonding/bond_main.c | 16 ++--
+ drivers/net/dl2k.h | 4 -
+ drivers/net/pcmcia/smc91c92_cs.c | 12 +++
+ drivers/scsi/gdth.c | 9 ++
+ drivers/scsi/sd.c | 34 ++++------
+ drivers/usb/class/usblp.c | 1
+ fs/inotify_user.c | 2
+ fs/nfs/write.c | 20 +++++-
+ fs/super.c | 1
+ fs/xfs/linux-2.6/xfs_file.c | 3
+ include/asm-powerpc/pmac_feature.h | 8 ++
+ include/linux/Kbuild | 1
+ include/linux/hrtimer.h | 2
+ include/linux/hugetlb.h | 1
+ include/linux/ktime.h | 2
+ kernel/audit.c | 10 ++-
+ kernel/compat.c | 44 ++++++++++++-
+ kernel/futex.c | 2
+ kernel/futex_compat.c | 2
+ kernel/hrtimer.c | 100 +++++++++++++++++-------------
+ kernel/irq/chip.c | 20 +++++-
+ kernel/posix-timers.c | 25 ++-----
+ kernel/sysctl.c | 2
+ mm/hugetlb.c | 10 +++
+ mm/memory.c | 2
+ mm/slub.c | 3
+ net/bluetooth/hci_sysfs.c | 48 +++++++++++---
+ net/ipv4/fib_hash.c | 47 +++++++++-----
+ net/ipv4/fib_trie.c | 57 ++++++++++-------
+ net/ipv4/inet_diag.c | 11 +--
+ net/ipv4/ip_output.c | 4 -
+ net/ipv4/ipcomp.c | 5 +
+ net/ipv4/sysctl_net_ipv4.c | 2
+ net/ipv4/xfrm4_tunnel.c | 2
+ net/ipv6/ip6_output.c | 4 -
+ net/ipv6/ipcomp6.c | 5 +
+ net/netfilter/nf_conntrack_proto_tcp.c | 35 ++++++++--
+ net/sched/em_meta.c | 10 +--
+ net/sched/ematch.c | 5 -
+ security/selinux/ss/services.c | 1
+ 48 files changed, 439 insertions(+), 196 deletions(-)
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:41 2008
+Message-Id: <20080223002041.519850564@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:47 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sam Ravnborg <sam@ravnborg.org>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 01/38] SPARC/SPARC64: Fix usage of .section .sched.text in assembler code.
+Content-Disposition: inline; filename=sparc-sparc64-fix-usage-of-.section-.sched.text-in-assembler-code.patch
+Status: RO
+Content-Length: 1044
+Lines: 45
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ [SPARC/SPARC64]: Fix usage of .section .sched.text in assembler code.
+
+Upstream commit: c6d64c16bb193c8ca2ccc0b3c556a4574a02408b
+
+ld will generate an unique named section when assembler do not use
+"ax" but gcc does. Add the missing annotation.
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc/lib/rwsem.S | 2 +-
+ arch/sparc64/lib/rwsem.S | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/sparc/lib/rwsem.S
++++ b/arch/sparc/lib/rwsem.S
+@@ -7,7 +7,7 @@
+ #include <asm/ptrace.h>
+ #include <asm/psr.h>
+
+- .section .sched.text
++ .section .sched.text, "ax"
+ .align 4
+
+ .globl ___down_read
+--- a/arch/sparc64/lib/rwsem.S
++++ b/arch/sparc64/lib/rwsem.S
+@@ -6,7 +6,7 @@
+
+ #include <asm/rwsem-const.h>
+
+- .section .sched.text
++ .section .sched.text, "ax"
+
+ .globl __down_read
+ __down_read:
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:41 2008
+Message-Id: <20080223002041.676917593@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:48 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>,
+ "David S. Miller" <davem@davemloft.net>,
+ Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
+ Patrick McHardy <kaber@trash.net>
+Subject: [patch 02/38] NETFILTER: nf_conntrack_tcp: conntrack reopening fix
+Content-Disposition: inline; filename=netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch
+Status: RO
+Content-Length: 4114
+Lines: 109
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+[NETFILTER]: nf_conntrack_tcp: conntrack reopening fix
+
+[Upstream commits b2155e7f + d0c1fd7a]
+
+TCP connection tracking in netfilter did not handle TCP reopening
+properly: active close was taken into account for one side only and
+not for any side, which is fixed now. The patch includes more comments
+to explain the logic how the different cases are handled.
+The bug was discovered by Jeff Chua.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -135,7 +135,7 @@ enum tcp_bit_set {
+ * CLOSE_WAIT: ACK seen (after FIN)
+ * LAST_ACK: FIN seen (after FIN)
+ * TIME_WAIT: last ACK seen
+- * CLOSE: closed connection
++ * CLOSE: closed connection (RST)
+ *
+ * LISTEN state is not used.
+ *
+@@ -834,8 +834,21 @@ static int tcp_packet(struct nf_conn *conntrack,
+ case TCP_CONNTRACK_SYN_SENT:
+ if (old_state < TCP_CONNTRACK_TIME_WAIT)
+ break;
+- if ((conntrack->proto.tcp.seen[!dir].flags &
+- IP_CT_TCP_FLAG_CLOSE_INIT)
++ /* RFC 1122: "When a connection is closed actively,
++ * it MUST linger in TIME-WAIT state for a time 2xMSL
++ * (Maximum Segment Lifetime). However, it MAY accept
++ * a new SYN from the remote TCP to reopen the connection
++ * directly from TIME-WAIT state, if..."
++ * We ignore the conditions because we are in the
++ * TIME-WAIT state anyway.
++ *
++ * Handle aborted connections: we and the server
++ * think there is an existing connection but the client
++ * aborts it and starts a new one.
++ */
++ if (((conntrack->proto.tcp.seen[dir].flags
++ | conntrack->proto.tcp.seen[!dir].flags)
++ & IP_CT_TCP_FLAG_CLOSE_INIT)
+ || (conntrack->proto.tcp.last_dir == dir
+ && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
+ /* Attempt to reopen a closed/aborted connection.
+@@ -848,18 +861,25 @@ static int tcp_packet(struct nf_conn *conntrack,
+ }
+ /* Fall through */
+ case TCP_CONNTRACK_IGNORE:
+- /* Ignored packets:
++ /* Ignored packets:
++ *
++ * Our connection entry may be out of sync, so ignore
++ * packets which may signal the real connection between
++ * the client and the server.
+ *
+ * a) SYN in ORIGINAL
+ * b) SYN/ACK in REPLY
+ * c) ACK in reply direction after initial SYN in original.
++ *
++ * If the ignored packet is invalid, the receiver will send
++ * a RST we'll catch below.
+ */
+ if (index == TCP_SYNACK_SET
+ && conntrack->proto.tcp.last_index == TCP_SYN_SET
+ && conntrack->proto.tcp.last_dir != dir
+ && ntohl(th->ack_seq) ==
+ conntrack->proto.tcp.last_end) {
+- /* This SYN/ACK acknowledges a SYN that we earlier
++ /* b) This SYN/ACK acknowledges a SYN that we earlier
+ * ignored as invalid. This means that the client and
+ * the server are both in sync, while the firewall is
+ * not. We kill this session and block the SYN/ACK so
+@@ -884,7 +904,7 @@ static int tcp_packet(struct nf_conn *conntrack,
+ write_unlock_bh(&tcp_lock);
+ if (LOG_INVALID(IPPROTO_TCP))
+ nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+- "nf_ct_tcp: invalid packed ignored ");
++ "nf_ct_tcp: invalid packet ignored ");
+ return NF_ACCEPT;
+ case TCP_CONNTRACK_MAX:
+ /* Invalid packet */
+@@ -938,8 +958,7 @@ static int tcp_packet(struct nf_conn *conntrack,
+
+ conntrack->proto.tcp.state = new_state;
+ if (old_state != new_state
+- && (new_state == TCP_CONNTRACK_FIN_WAIT
+- || new_state == TCP_CONNTRACK_CLOSE))
++ && new_state == TCP_CONNTRACK_FIN_WAIT)
+ conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+ timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
+ && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
+_______________________________________________
+stable mailing list
+stable@linux.kernel.org
+http://linux.kernel.org/mailman/listinfo/stable
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:41 2008
+Message-Id: <20080223002041.840917976@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:49 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [patch 03/38] NFS: Fix a potential file corruption issue when writing
+Content-Disposition: inline; filename=nfs-fix-a-potential-file-corruption-issue-when-writing.patch
+Status: RO
+Content-Length: 2862
+Lines: 83
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline.
+
+If the inode is flagged as having an invalid mapping, then we can't rely on
+the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
+write optimisation in nfs_updatepage(), since that will cause NFS to write
+out areas of the page that are no longer guaranteed to be up to date.
+
+A potential corruption could occur in the following scenario:
+
+client 1 client 2
+=============== ===============
+ fd=open("f",O_CREAT|O_WRONLY,0644);
+ write(fd,"fubar\n",6); // cache last page
+ close(fd);
+fd=open("f",O_WRONLY|O_APPEND);
+write(fd,"foo\n",4);
+close(fd);
+
+ fd=open("f",O_WRONLY|O_APPEND);
+ write(fd,"bar\n",4);
+ close(fd);
+-----
+The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
+client 2 does not update the cached page after re-opening the file for
+write. Instead it keeps it marked as PageUptodate() until someone calls
+invalidate_inode_pages2() (typically by calling read()).
+
+The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84
+"NFS: Separate metadata and page cache revalidation mechanisms"
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/write.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -701,6 +701,17 @@ int nfs_flush_incompatible(struct file *
+ }
+
+ /*
++ * If the page cache is marked as unsafe or invalid, then we can't rely on
++ * the PageUptodate() flag. In this case, we will need to turn off
++ * write optimisations that depend on the page contents being correct.
++ */
++static int nfs_write_pageuptodate(struct page *page, struct inode *inode)
++{
++ return PageUptodate(page) &&
++ !(NFS_I(inode)->cache_validity & (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA));
++}
++
++/*
+ * Update and possibly write a cached page of an NFS file.
+ *
+ * XXX: Keep an eye on generic_file_read to make sure it doesn't do bad
+@@ -721,10 +732,13 @@ int nfs_updatepage(struct file *file, st
+ (long long)(page_offset(page) +offset));
+
+ /* If we're not using byte range locks, and we know the page
+- * is entirely in cache, it may be more efficient to avoid
+- * fragmenting write requests.
++ * is up to date, it may be more efficient to extend the write
++ * to cover the entire page in order to avoid fragmentation
++ * inefficiencies.
+ */
+- if (PageUptodate(page) && inode->i_flock == NULL && !(file->f_mode & O_SYNC)) {
++ if (nfs_write_pageuptodate(page, inode) &&
++ inode->i_flock == NULL &&
++ !(file->f_mode & O_SYNC)) {
+ count = max(count + offset, nfs_page_length(page));
+ offset = 0;
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002041.999298090@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:50 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ rlove@google.com,
+ clem.taylor@gmail.com,
+ amy.griffis@hp.com,
+ ttb@tentacle.dhs.org,
+ ulissesf@gmail.com
+Subject: [patch 04/38] inotify: fix check for one-shot watches before destroying them
+Content-Disposition: inline; filename=inotify-fix-check-for-one-shot-watches-before-destroying-them.patch
+Status: RO
+Content-Length: 1266
+Lines: 40
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ From: Ulisses Furquim <ulissesf@gmail.com>
+
+patch ac74c00e499ed276a965e5b5600667d5dc04a84a in mainline.
+
+As the IN_ONESHOT bit is never set when an event is sent we must check it
+in the watch's mask and not in the event's mask.
+
+Signed-off-by: Ulisses Furquim <ulissesf@gmail.com>
+Reported-by: "Clem Taylor" <clem.taylor@gmail.com>
+Tested-by: "Clem Taylor" <clem.taylor@gmail.com>
+Cc: Amy Griffis <amy.griffis@hp.com>
+Cc: Robert Love <rlove@google.com>
+Cc: John McCutchan <ttb@tentacle.dhs.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/inotify_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/inotify_user.c
++++ b/fs/inotify_user.c
+@@ -269,7 +269,7 @@ static void inotify_dev_queue_event(stru
+ /* we can safely put the watch as we don't reference it while
+ * generating the event
+ */
+- if (mask & IN_IGNORED || mask & IN_ONESHOT)
++ if (mask & IN_IGNORED || w->mask & IN_ONESHOT)
+ put_inotify_watch(w); /* final put */
+
+ /* coalescing: drop this event if it is a dupe of the previous */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002042.159227984@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:51 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ wli@holomorphy.com,
+ agl@us.ibm.com,
+ nacc@us.ibm.com,
+ david@gibson.dropbear.id.au
+Subject: [patch 05/38] hugetlb: add locking for overcommit sysctl
+Content-Disposition: inline; filename=hugetlb-add-locking-for-overcommit-sysctl.patch
+Status: RO
+Content-Length: 2605
+Lines: 74
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+
+From: Nishanth Aravamudan <nacc@us.ibm.com>
+
+patch a3d0c6aa1bb342b9b2c7b123b52ac2f48a4d4d0a in mainline.
+
+When I replaced hugetlb_dynamic_pool with nr_overcommit_hugepages I used
+proc_doulongvec_minmax() directly. However, hugetlb.c's locking rules
+require that all counter modifications occur under the hugetlb_lock. Add a
+callback into the hugetlb code similar to the one for nr_hugepages. Grab
+the lock around the manipulation of nr_overcommit_hugepages in
+proc_doulongvec_minmax().
+
+Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com>
+Acked-by: Adam Litke <agl@us.ibm.com>
+Cc: David Gibson <david@gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli@holomorphy.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ include/linux/hugetlb.h | 1 +
+ kernel/sysctl.c | 2 +-
+ mm/hugetlb.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -17,6 +17,7 @@ static inline int is_vm_hugetlb_page(str
+ }
+
+ int hugetlb_sysctl_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
++int hugetlb_overcommit_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
+ int hugetlb_treat_movable_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
+ int copy_hugetlb_page_range(struct mm_struct *, struct mm_struct *, struct vm_area_struct *);
+ int follow_hugetlb_page(struct mm_struct *, struct vm_area_struct *, struct page **, struct vm_area_struct **, unsigned long *, int *, int, int);
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -910,7 +910,7 @@ static struct ctl_table vm_table[] = {
+ .data = &nr_overcommit_huge_pages,
+ .maxlen = sizeof(nr_overcommit_huge_pages),
+ .mode = 0644,
+- .proc_handler = &proc_doulongvec_minmax,
++ .proc_handler = &hugetlb_overcommit_handler,
+ },
+ #endif
+ {
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -605,6 +605,16 @@ int hugetlb_treat_movable_handler(struct
+ return 0;
+ }
+
++int hugetlb_overcommit_handler(struct ctl_table *table, int write,
++ struct file *file, void __user *buffer,
++ size_t *length, loff_t *ppos)
++{
++ spin_lock(&hugetlb_lock);
++ proc_doulongvec_minmax(table, write, file, buffer, length, ppos);
++ spin_unlock(&hugetlb_lock);
++ return 0;
++}
++
+ #endif /* CONFIG_SYSCTL */
+
+ int hugetlb_report_meminfo(char *buf)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002042.316841452@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:52 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ torvalds@linux-foundation.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ jack@suse.cz
+Subject: [patch 06/38] quota: turn quotas off when remounting read-only
+Content-Disposition: inline; filename=quota-turn-quotas-off-when-remounting-read-only.patch
+Status: RO
+Content-Length: 960
+Lines: 36
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+
+From: Jan Kara <jack@suse.cz>
+
+patch 66191dc622f5ff0a541524c4e96fdacfacfda206 in mainline.
+
+Turn off quotas before filesystem is remounted read only. Otherwise quota
+will try to write to read-only filesystem which does no good... We could
+also just refuse to remount ro when quota is enabled but turning quota off
+is consistent with what we do on umount.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -603,6 +603,7 @@ int do_remount_sb(struct super_block *sb
+ mark_files_ro(sb);
+ else if (!fs_may_remount_ro(sb))
+ return -EBUSY;
++ DQUOT_OFF(sb);
+ }
+
+ if (sb->s_op->remount_fs) {
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002042.478720127@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:53 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ greg@kroah.com,
+ chris@sous-sol.org,
+ Dave Chinner <dgc@sgi.com>,
+ Lachlan McIlroy <lachlan@sgi.com>
+Subject: [patch 07/38] XFS: Fix oops in xfs_file_readdir()
+Content-Disposition: inline; filename=xfs-fix-oops-in-xfs_file_readdir.patch
+Status: RO
+Content-Length: 1248
+Lines: 45
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ From: David Chinner <dgc@sgi.com>
+
+patch 450790a2c51e6d9d47ed30dbdcf486656b8e186f in mainline.
+
+Several occurrences of oops in xfs_file_readdir() on ia32 have been
+reported since 2.6.24 was released. This is a regression introduced
+in 2.6.24 and is relatively easy to hit. The patch below fixes the
+problem.
+
+
+Signed-off-by: Dave Chinner <dgc@sgi.com>
+Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/linux-2.6/xfs_file.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/xfs/linux-2.6/xfs_file.c
++++ b/fs/xfs/linux-2.6/xfs_file.c
+@@ -350,8 +350,8 @@ xfs_file_readdir(
+
+ size = buf.used;
+ de = (struct hack_dirent *)buf.dirent;
+- curr_offset = de->offset /* & 0x7fffffff */;
+ while (size > 0) {
++ curr_offset = de->offset /* & 0x7fffffff */;
+ if (filldir(dirent, de->name, de->namlen,
+ curr_offset & 0x7fffffff,
+ de->ino, de->d_type)) {
+@@ -362,7 +362,6 @@ xfs_file_readdir(
+ sizeof(u64));
+ size -= reclen;
+ de = (struct hack_dirent *)((char *)de + reclen);
+- curr_offset = de->offset /* & 0x7fffffff */;
+ }
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002042.635319149@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:54 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Jeff Garzik <jgarzik@pobox.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Al Viro <viro@zeniv.linux.org.uk>
+Subject: [patch 08/38] Fix dl2k constants
+Content-Disposition: inline; filename=fix-dl2k-constants.patch
+Status: RO
+Content-Length: 1104
+Lines: 37
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+
+patch 9c52fab2f187636b39afb0dcf562872ed42ab608 in mainline.
+
+The MSSR constants didn't match the reality - bitfield declarations
+used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum
+had them the other way round. Went unnoticed until the switch from
+the bitfields use to the explicit arithmetics and I hadn't caught that one
+when verifying correctness of change...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/dl2k.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -388,8 +388,8 @@ enum _mii_mssr {
+ MII_MSSR_CFG_RES = 0x4000,
+ MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
+ MII_MSSR_REMOTE_RCVR = 0x1000,
+- MII_MSSR_LP_1000BT_HD = 0x0800,
+- MII_MSSR_LP_1000BT_FD = 0x0400,
++ MII_MSSR_LP_1000BT_FD = 0x0800,
++ MII_MSSR_LP_1000BT_HD = 0x0400,
+ MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
+ };
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:42 2008
+Message-Id: <20080223002042.794518852@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:55 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tony Battersby <tonyb@cybernetics.com>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>
+Subject: [patch 09/38] SCSI: sd: handle bad lba in sense information
+Content-Disposition: inline; filename=scsi-sd-handle-bad-lba-in-sense-information.patch
+Status: RO
+Content-Length: 2276
+Lines: 78
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline.
+
+Some devices report medium error locations incorrectly. Add guards to
+make sure the reported bad lba is actually in the request that caused
+it. Additionally remove the large case statment for sector sizes and
+replace it with the proper u64 divisions.
+
+Tested-by: Mike Snitzer <snitzer@gmail.com>
+Cc: Stable Tree <stable@kernel.org>
+Cc: Tony Battersby <tonyb@cybernetics.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/sd.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -907,6 +907,7 @@ static int sd_done(struct scsi_cmnd *SCp
+ unsigned int xfer_size = SCpnt->request_bufflen;
+ unsigned int good_bytes = result ? 0 : xfer_size;
+ u64 start_lba = SCpnt->request->sector;
++ u64 end_lba = SCpnt->request->sector + (xfer_size / 512);
+ u64 bad_lba;
+ struct scsi_sense_hdr sshdr;
+ int sense_valid = 0;
+@@ -945,26 +946,23 @@ static int sd_done(struct scsi_cmnd *SCp
+ goto out;
+ if (xfer_size <= SCpnt->device->sector_size)
+ goto out;
+- switch (SCpnt->device->sector_size) {
+- case 256:
++ if (SCpnt->device->sector_size < 512) {
++ /* only legitimate sector_size here is 256 */
+ start_lba <<= 1;
+- break;
+- case 512:
+- break;
+- case 1024:
+- start_lba >>= 1;
+- break;
+- case 2048:
+- start_lba >>= 2;
+- break;
+- case 4096:
+- start_lba >>= 3;
+- break;
+- default:
+- /* Print something here with limiting frequency. */
+- goto out;
+- break;
++ end_lba <<= 1;
++ } else {
++ /* be careful ... don't want any overflows */
++ u64 factor = SCpnt->device->sector_size / 512;
++ do_div(start_lba, factor);
++ do_div(end_lba, factor);
+ }
++
++ if (bad_lba < start_lba || bad_lba >= end_lba)
++ /* the bad lba was reported incorrectly, we have
++ * no idea where the error is
++ */
++ goto out;
++
+ /* This computation should always be done in terms of
+ * the resolution of the device's medium.
+ */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002042.956662364@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:56 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Shan Wei <shanwei@cn.fujitsu.com>,
+ Stephen Hemminger <shemminger@vyatta.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 10/38] TCP: Fix a bug in strategy_allowed_congestion_control
+Content-Disposition: inline; filename=tcp-fix-a-bug-in-strategy_allowed_congestion_control.patch
+Status: RO
+Content-Length: 1188
+Lines: 35
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+ Upstream commit: 16ca3f913001efdb6171a2781ef41c77474e3895
+
+In strategy_allowed_congestion_control of the 2.6.24 kernel, when
+sysctl_string return 1 on success,it should call
+tcp_set_allowed_congestion_control to set the allowed congestion
+control.But, it don't. the sysctl_string return 1 on success,
+otherwise return negative, never return 0.The patch fix the problem.
+
+Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -248,7 +248,7 @@ static int strategy_allowed_congestion_c
+
+ tcp_get_available_congestion_control(tbl.data, tbl.maxlen);
+ ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen);
+- if (ret == 0 && newval && newlen)
++ if (ret == 1 && newval && newlen)
+ ret = tcp_set_allowed_congestion_control(tbl.data);
+ kfree(tbl.data);
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002043.116509216@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:57 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@vyatta.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 11/38] TC: oops in em_meta
+Content-Disposition: inline; filename=tc-oops-in-em_meta.patch
+Status: RO
+Content-Length: 1359
+Lines: 46
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+
+Upstream commit: 04f217aca4d803fe72c2c54fe460d68f5233ce52
+
+If userspace passes a unknown match index into em_meta, then
+em_meta_change will return an error and the data for the match will
+not be set. This then causes an null pointer dereference when the
+cleanup is done in the error path via tcf_em_tree_destroy. Since the
+tree structure comes kzalloc, it is initialized to NULL.
+
+Discovered when testing a new version of tc command against an
+accidental older kernel.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/em_meta.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/sched/em_meta.c
++++ b/net/sched/em_meta.c
+@@ -719,11 +719,13 @@ static int em_meta_match(struct sk_buff
+
+ static inline void meta_delete(struct meta_match *meta)
+ {
+- struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
++ if (meta) {
++ struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
+
+- if (ops && ops->destroy) {
+- ops->destroy(&meta->lvalue);
+- ops->destroy(&meta->rvalue);
++ if (ops && ops->destroy) {
++ ops->destroy(&meta->lvalue);
++ ops->destroy(&meta->rvalue);
++ }
+ }
+
+ kfree(meta);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002043.269648093@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:58 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Paul Moore <paul.moore@hp.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 12/38] SELinux: Fix double free in selinux_netlbl_sock_setsid()
+Content-Disposition: inline; filename=selinux-fix-double-free-in-selinux_netlbl_sock_setsid.patch
+Status: RO
+Content-Length: 1016
+Lines: 33
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: e1770d97a730ff4c3aa1775d98f4d0558390607f
+
+As pointed out by Adrian Bunk, commit
+45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel
+code") caused a double-free when security_netlbl_sid_to_secattr()
+fails. This patch fixes this by removing the netlbl_secattr_destroy()
+call from that function since we are already releasing the secattr
+memory in selinux_netlbl_sock_setsid().
+
+Signed-off-by: Paul Moore <paul.moore@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/ss/services.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2629,7 +2629,6 @@ int security_netlbl_sid_to_secattr(u32 s
+
+ netlbl_sid_to_secattr_failure:
+ POLICY_RDUNLOCK;
+- netlbl_secattr_destroy(secattr);
+ return rc;
+ }
+ #endif /* CONFIG_NETLABEL */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002043.432608679@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:19:59 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@vyatta.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 13/38] PKT_SCHED: ematch: oops from uninitialized variable (resend)
+Content-Disposition: inline; filename=pkt_sched-ematch-oops-from-uninitialized-variable.patch
+Status: RO
+Content-Length: 2432
+Lines: 60
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 268bcca1e7b0d244afd07ea89cda672e61b0fc4a
+
+Setting up a meta match causes a kernel OOPS because of uninitialized
+elements in tree.
+
+[ 37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[ 37.322381] IP: [<ffffffff883fc717>] :em_meta:em_meta_destroy+0x17/0x80
+
+[ 37.322381] Call Trace:
+[ 37.322381] [<ffffffff803ec83d>] tcf_em_tree_destroy+0x2d/0xa0
+[ 37.322381] [<ffffffff803ecc8c>] tcf_em_tree_validate+0x2dc/0x4a0
+[ 37.322381] [<ffffffff803f06d2>] nla_parse+0x92/0xe0
+[ 37.322381] [<ffffffff883f9672>] :cls_basic:basic_change+0x202/0x3c0
+[ 37.322381] [<ffffffff802a3917>] kmem_cache_alloc+0x67/0xa0
+[ 37.322381] [<ffffffff803ea221>] tc_ctl_tfilter+0x3b1/0x580
+[ 37.322381] [<ffffffff803dffd0>] rtnetlink_rcv_msg+0x0/0x260
+[ 37.322381] [<ffffffff803ee944>] netlink_rcv_skb+0x74/0xa0
+[ 37.322381] [<ffffffff803dffc8>] rtnetlink_rcv+0x18/0x20
+[ 37.322381] [<ffffffff803ee6c3>] netlink_unicast+0x263/0x290
+[ 37.322381] [<ffffffff803cf276>] __alloc_skb+0x96/0x160
+[ 37.322381] [<ffffffff803ef014>] netlink_sendmsg+0x274/0x340
+[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
+[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
+[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
+[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
+[ 37.322381] [<ffffffff80288611>] zone_statistics+0xb1/0xc0
+[ 37.322381] [<ffffffff803c7e5e>] sys_sendmsg+0x20e/0x360
+[ 37.322381] [<ffffffff803c7411>] sockfd_lookup_light+0x41/0x80
+[ 37.322381] [<ffffffff8028d04b>] handle_mm_fault+0x3eb/0x7f0
+[ 37.322381] [<ffffffff8020c2fb>] system_call_after_swapgs+0x7b/0x80
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/ematch.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -305,10 +305,9 @@ int tcf_em_tree_validate(struct tcf_prot
+ struct tcf_ematch_tree_hdr *tree_hdr;
+ struct tcf_ematch *em;
+
+- if (!rta) {
+- memset(tree, 0, sizeof(*tree));
++ memset(tree, 0, sizeof(*tree));
++ if (!rta)
+ return 0;
+- }
+
+ if (rtattr_parse_nested(tb, TCA_EMATCH_TREE_MAX, rta) < 0)
+ goto errout;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002043.594723836@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:00 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <stephen.hemminger@vyatta.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 14/38] NET: Add if_addrlabel.h to sanitized headers.
+Content-Disposition: inline; filename=net-add-if_addrlabel.h-to-sanitized-headers.patch
+Status: RO
+Content-Length: 711
+Lines: 28
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: dded91611a728d65721cdab3dd41d801a356fa15
+
+if_addrlabel.h is needed for iproute2 usage.
+
+Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -217,6 +217,7 @@ unifdef-y += i2o-dev.h
+ unifdef-y += icmp.h
+ unifdef-y += icmpv6.h
+ unifdef-y += if_addr.h
++unifdef-y += if_addrlabel.h
+ unifdef-y += if_arp.h
+ unifdef-y += if_bridge.h
+ unifdef-y += if_ec.h
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:43 2008
+Message-Id: <20080223002043.754725945@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Julian Anastasov <ja@ssi.bg>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 15/38] IPV4: fib_trie: apply fixes from fib_hash
+Content-Disposition: inline; filename=ipv4-fib_trie-apply-fixes-from-fib_hash.patch
+Status: RO
+Content-Length: 3681
+Lines: 124
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6
+
+ Update fib_trie with some fib_hash fixes:
+- check for duplicate alternative routes for prefix+tos+priority when
+replacing route
+- properly insert by matching tos together with priority
+- fix alias walking to use list_for_each_entry_continue for insertion
+and deletion when fa_head is not NULL
+- copy state from fa to new_fa on replace (not a problem for now)
+- additionally, avoid replacement without error if new route is same,
+as Joonwoo Park suggests.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/fib_trie.c | 57 ++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1203,20 +1203,45 @@ static int fn_trie_insert(struct fib_tab
+ * and we need to allocate a new one of those as well.
+ */
+
+- if (fa && fa->fa_info->fib_priority == fi->fib_priority) {
+- struct fib_alias *fa_orig;
++ if (fa && fa->fa_tos == tos &&
++ fa->fa_info->fib_priority == fi->fib_priority) {
++ struct fib_alias *fa_first, *fa_match;
+
+ err = -EEXIST;
+ if (cfg->fc_nlflags & NLM_F_EXCL)
+ goto out;
+
++ /* We have 2 goals:
++ * 1. Find exact match for type, scope, fib_info to avoid
++ * duplicate routes
++ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
++ */
++ fa_match = NULL;
++ fa_first = fa;
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, fa_head, fa_list) {
++ if (fa->fa_tos != tos)
++ break;
++ if (fa->fa_info->fib_priority != fi->fib_priority)
++ break;
++ if (fa->fa_type == cfg->fc_type &&
++ fa->fa_scope == cfg->fc_scope &&
++ fa->fa_info == fi) {
++ fa_match = fa;
++ break;
++ }
++ }
++
+ if (cfg->fc_nlflags & NLM_F_REPLACE) {
+ struct fib_info *fi_drop;
+ u8 state;
+
+- if (fi->fib_treeref > 1)
++ fa = fa_first;
++ if (fa_match) {
++ if (fa == fa_match)
++ err = 0;
+ goto out;
+-
++ }
+ err = -ENOBUFS;
+ new_fa = kmem_cache_alloc(fn_alias_kmem, GFP_KERNEL);
+ if (new_fa == NULL)
+@@ -1228,7 +1253,7 @@ static int fn_trie_insert(struct fib_tab
+ new_fa->fa_type = cfg->fc_type;
+ new_fa->fa_scope = cfg->fc_scope;
+ state = fa->fa_state;
+- new_fa->fa_state &= ~FA_S_ACCESSED;
++ new_fa->fa_state = state & ~FA_S_ACCESSED;
+
+ list_replace_rcu(&fa->fa_list, &new_fa->fa_list);
+ alias_free_mem_rcu(fa);
+@@ -1245,20 +1270,11 @@ static int fn_trie_insert(struct fib_tab
+ * uses the same scope, type, and nexthop
+ * information.
+ */
+- fa_orig = fa;
+- list_for_each_entry(fa, fa_orig->fa_list.prev, fa_list) {
+- if (fa->fa_tos != tos)
+- break;
+- if (fa->fa_info->fib_priority != fi->fib_priority)
+- break;
+- if (fa->fa_type == cfg->fc_type &&
+- fa->fa_scope == cfg->fc_scope &&
+- fa->fa_info == fi) {
+- goto out;
+- }
+- }
++ if (fa_match)
++ goto out;
++
+ if (!(cfg->fc_nlflags & NLM_F_APPEND))
+- fa = fa_orig;
++ fa = fa_first;
+ }
+ err = -ENOENT;
+ if (!(cfg->fc_nlflags & NLM_F_CREATE))
+@@ -1614,9 +1630,8 @@ static int fn_trie_delete(struct fib_tab
+ pr_debug("Deleting %08x/%d tos=%d t=%p\n", key, plen, tos, t);
+
+ fa_to_delete = NULL;
+- fa_head = fa->fa_list.prev;
+-
+- list_for_each_entry(fa, fa_head, fa_list) {
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, fa_head, fa_list) {
+ struct fib_info *fi = fa->fa_info;
+
+ if (fa->fa_tos != tos)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002043.912275926@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:02 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Julian Anastasov <ja@ssi.bg>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 16/38] IPV4: fib: fix route replacement, fib_info is shared
+Content-Disposition: inline; filename=ipv4-fib-fix-route-replacement-fib_info-is-shared.patch
+Status: RO
+Content-Length: 2657
+Lines: 96
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: c18865f39276435abb9286f9a816cb5b66c99a00
+
+fib_info can be shared by many route prefixes but we don't want
+duplicate alternative routes for a prefix+tos+priority. Last change
+was not correct to check fib_treeref because it accounts usage from
+other prefixes. Additionally, avoid replacement without error if new
+route is same, as Joonwoo Park suggests.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/fib_hash.c | 47 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 31 insertions(+), 16 deletions(-)
+
+--- a/net/ipv4/fib_hash.c
++++ b/net/ipv4/fib_hash.c
+@@ -434,19 +434,43 @@ static int fn_hash_insert(struct fib_tab
+
+ if (fa && fa->fa_tos == tos &&
+ fa->fa_info->fib_priority == fi->fib_priority) {
+- struct fib_alias *fa_orig;
++ struct fib_alias *fa_first, *fa_match;
+
+ err = -EEXIST;
+ if (cfg->fc_nlflags & NLM_F_EXCL)
+ goto out;
+
++ /* We have 2 goals:
++ * 1. Find exact match for type, scope, fib_info to avoid
++ * duplicate routes
++ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
++ */
++ fa_match = NULL;
++ fa_first = fa;
++ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
++ list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
++ if (fa->fa_tos != tos)
++ break;
++ if (fa->fa_info->fib_priority != fi->fib_priority)
++ break;
++ if (fa->fa_type == cfg->fc_type &&
++ fa->fa_scope == cfg->fc_scope &&
++ fa->fa_info == fi) {
++ fa_match = fa;
++ break;
++ }
++ }
++
+ if (cfg->fc_nlflags & NLM_F_REPLACE) {
+ struct fib_info *fi_drop;
+ u8 state;
+
+- if (fi->fib_treeref > 1)
++ fa = fa_first;
++ if (fa_match) {
++ if (fa == fa_match)
++ err = 0;
+ goto out;
+-
++ }
+ write_lock_bh(&fib_hash_lock);
+ fi_drop = fa->fa_info;
+ fa->fa_info = fi;
+@@ -469,20 +493,11 @@ static int fn_hash_insert(struct fib_tab
+ * uses the same scope, type, and nexthop
+ * information.
+ */
+- fa_orig = fa;
+- fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
+- list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
+- if (fa->fa_tos != tos)
+- break;
+- if (fa->fa_info->fib_priority != fi->fib_priority)
+- break;
+- if (fa->fa_type == cfg->fc_type &&
+- fa->fa_scope == cfg->fc_scope &&
+- fa->fa_info == fi)
+- goto out;
+- }
++ if (fa_match)
++ goto out;
++
+ if (!(cfg->fc_nlflags & NLM_F_APPEND))
+- fa = fa_orig;
++ fa = fa_first;
+ }
+
+ err = -ENOENT;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002044.074936474@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:03 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 17/38] IPCOMP: Fix reception of incompressible packets
+Content-Disposition: inline; filename=ipcomp-fix-reception-of-incompressible-packets.patch
+Status: RO
+Content-Length: 905
+Lines: 31
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: b1641064a3f4a58644bc2e8edf40c025c58473b4
+
+I made a silly typo by entering IPPROTO_IP (== 0) instead of
+IPPROTO_IPIP (== 4). This broke the reception of incompressible
+packets.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/xfrm4_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/xfrm4_tunnel.c
++++ b/net/ipv4/xfrm4_tunnel.c
+@@ -50,7 +50,7 @@ static struct xfrm_type ipip_type = {
+
+ static int xfrm_tunnel_rcv(struct sk_buff *skb)
+ {
+- return xfrm4_rcv_spi(skb, IPPROTO_IP, ip_hdr(skb)->saddr);
++ return xfrm4_rcv_spi(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr);
+ }
+
+ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002044.236006806@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:04 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 18/38] IPCOMP: Fetch nexthdr before ipch is destroyed
+Content-Disposition: inline; filename=ipcomp-fetch-nexthdr-before-ipch-is-destroyed.patch
+Status: RO
+Content-Length: 2134
+Lines: 80
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 2614fa59fa805cd488083c5602eb48533cdbc018
+
+When I moved the nexthdr setting out of IPComp I accidently moved
+the reading of ipch->nexthdr after the decompression. Unfortunately
+this means that we'd be reading from a stale ipch pointer which
+doesn't work very well.
+
+This patch moves the reading up so that we get the correct nexthdr
+value.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ipcomp.c | 5 ++++-
+ net/ipv6/ipcomp6.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ipcomp.c
++++ b/net/ipv4/ipcomp.c
+@@ -74,6 +74,7 @@ out:
+
+ static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
++ int nexthdr;
+ int err = -ENOMEM;
+ struct ip_comp_hdr *ipch;
+
+@@ -84,13 +85,15 @@ static int ipcomp_input(struct xfrm_stat
+
+ /* Remove ipcomp header and decompress original payload */
+ ipch = (void *)skb->data;
++ nexthdr = ipch->nexthdr;
++
+ skb->transport_header = skb->network_header + sizeof(*ipch);
+ __skb_pull(skb, sizeof(*ipch));
+ err = ipcomp_decompress(x, skb);
+ if (err)
+ goto out;
+
+- err = ipch->nexthdr;
++ err = nexthdr;
+
+ out:
+ return err;
+--- a/net/ipv6/ipcomp6.c
++++ b/net/ipv6/ipcomp6.c
+@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list);
+
+ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
++ int nexthdr;
+ int err = -ENOMEM;
+ struct ip_comp_hdr *ipch;
+ int plen, dlen;
+@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_sta
+
+ /* Remove ipcomp header and decompress original payload */
+ ipch = (void *)skb->data;
++ nexthdr = ipch->nexthdr;
++
+ skb->transport_header = skb->network_header + sizeof(*ipch);
+ __skb_pull(skb, sizeof(*ipch));
+
+@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_sta
+ skb->truesize += dlen - plen;
+ __skb_put(skb, dlen - plen);
+ skb_copy_to_linear_data(skb, scratch, dlen);
+- err = ipch->nexthdr;
++ err = nexthdr;
+
+ out_put_cpu:
+ put_cpu();
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002044.390401359@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:05 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Arnaldo Carvalho de Melo <acme@redhat.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 19/38] INET_DIAG: Fix inet_diag_lock_handler error path.
+Content-Disposition: inline; filename=inet_diag-fix-inet_diag_lock_handler-error-path.patch
+Status: RO
+Content-Length: 2050
+Lines: 72
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 8cf8e5a67fb07f583aac94482ba51a7930dab493
+
+Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825
+
+The inet_diag_lock_handler function uses ERR_PTR to encode errors but
+its callers were testing against NULL.
+
+This only happens when the only inet_diag modular user, DCCP, is not
+built into the kernel or available as a module.
+
+Also there was a problem with not dropping the mutex lock when a handler
+was not found, also fixed in this patch.
+
+This caused an OOPS and ss would then hang on subsequent calls, as
+&inet_diag_table_mutex was being left locked.
+
+Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d'
+on a kernel that doesn't have DCCP available.
+
+This bug was introduced in cset
+d523a328fb0271e1a763e985a21f2488fd816e7e ("Fix inet_diag dead-lock
+regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected.
+
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/inet_diag.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -259,8 +259,10 @@ static int inet_diag_get_exact(struct sk
+ const struct inet_diag_handler *handler;
+
+ handler = inet_diag_lock_handler(nlh->nlmsg_type);
+- if (!handler)
+- return -ENOENT;
++ if (IS_ERR(handler)) {
++ err = PTR_ERR(handler);
++ goto unlock;
++ }
+
+ hashinfo = handler->idiag_hashinfo;
+ err = -EINVAL;
+@@ -708,8 +710,8 @@ static int inet_diag_dump(struct sk_buff
+ struct inet_hashinfo *hashinfo;
+
+ handler = inet_diag_lock_handler(cb->nlh->nlmsg_type);
+- if (!handler)
+- goto no_handler;
++ if (IS_ERR(handler))
++ goto unlock;
+
+ hashinfo = handler->idiag_hashinfo;
+
+@@ -838,7 +840,6 @@ done:
+ cb->args[2] = num;
+ unlock:
+ inet_diag_unlock_handler(handler);
+-no_handler:
+ return skb->len;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002044.564533546@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:06 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 20/38] INET: Prevent out-of-sync truesize on ip_fragment slow path
+Content-Disposition: inline; filename=inet-prevent-out-of-sync-truesize-on-ip_fragment-slow-path.patch
+Status: RO
+Content-Length: 2368
+Lines: 77
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 29ffe1a5c52dae13b6efead97aab9b058f38fce4
+
+When ip_fragment has to hit the slow path the value of skb->truesize
+may go out of sync because we would have updated it without changing
+the packet length. This violates the constraints on truesize.
+
+This patch postpones the update of skb->truesize to prevent this.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_output.c | 4 +++-
+ net/ipv6/ip6_output.c | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -462,6 +462,7 @@ int ip_fragment(struct sk_buff *skb, int
+ if (skb_shinfo(skb)->frag_list) {
+ struct sk_buff *frag;
+ int first_len = skb_pagelen(skb);
++ int truesizes = 0;
+
+ if (first_len - hlen > mtu ||
+ ((first_len - hlen) & 7) ||
+@@ -485,7 +486,7 @@ int ip_fragment(struct sk_buff *skb, int
+ sock_hold(skb->sk);
+ frag->sk = skb->sk;
+ frag->destructor = sock_wfree;
+- skb->truesize -= frag->truesize;
++ truesizes += frag->truesize;
+ }
+ }
+
+@@ -496,6 +497,7 @@ int ip_fragment(struct sk_buff *skb, int
+ frag = skb_shinfo(skb)->frag_list;
+ skb_shinfo(skb)->frag_list = NULL;
+ skb->data_len = first_len - skb_headlen(skb);
++ skb->truesize -= truesizes;
+ skb->len = first_len;
+ iph->tot_len = htons(first_len);
+ iph->frag_off = htons(IP_MF);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -609,6 +609,7 @@ static int ip6_fragment(struct sk_buff *
+
+ if (skb_shinfo(skb)->frag_list) {
+ int first_len = skb_pagelen(skb);
++ int truesizes = 0;
+
+ if (first_len - hlen > mtu ||
+ ((first_len - hlen) & 7) ||
+@@ -631,7 +632,7 @@ static int ip6_fragment(struct sk_buff *
+ sock_hold(skb->sk);
+ frag->sk = skb->sk;
+ frag->destructor = sock_wfree;
+- skb->truesize -= frag->truesize;
++ truesizes += frag->truesize;
+ }
+ }
+
+@@ -662,6 +663,7 @@ static int ip6_fragment(struct sk_buff *
+
+ first_len = skb_pagelen(skb);
+ skb->data_len = first_len - skb_headlen(skb);
++ skb->truesize -= truesizes;
+ skb->len = first_len;
+ ipv6_hdr(skb)->payload_len = htons(first_len -
+ sizeof(struct ipv6hdr));
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:44 2008
+Message-Id: <20080223002044.705070402@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:07 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Dave Young <hidave.darkstar@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 21/38] BLUETOOTH: Add conn add/del workqueues to avoid connection fail.
+Content-Disposition: inline; filename=bluetooth-add-conn-add-del-workqueues-to-avoid-connection-fail.patch
+Status: RO
+Content-Length: 2979
+Lines: 122
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: b6c0632105f7d7548f1d642ba830088478d4f2b0
+
+The bluetooth hci_conn sysfs add/del executed in the default
+workqueue. If the del_conn is executed after the new add_conn with
+same target, add_conn will failed with warning of "same kobject name".
+
+Here add btaddconn & btdelconn workqueues, flush the btdelconn
+workqueue in the add_conn function to avoid the issue.
+
+Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/hci_sysfs.c | 48 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -12,6 +12,8 @@
+ #undef BT_DBG
+ #define BT_DBG(D...)
+ #endif
++static struct workqueue_struct *btaddconn;
++static struct workqueue_struct *btdelconn;
+
+ static inline char *typetostr(int type)
+ {
+@@ -279,6 +281,7 @@ static void add_conn(struct work_struct
+ struct hci_conn *conn = container_of(work, struct hci_conn, work);
+ int i;
+
++ flush_workqueue(btdelconn);
+ if (device_add(&conn->dev) < 0) {
+ BT_ERR("Failed to register connection device");
+ return;
+@@ -313,6 +316,7 @@ void hci_conn_add_sysfs(struct hci_conn
+
+ INIT_WORK(&conn->work, add_conn);
+
++ queue_work(btaddconn, &conn->work);
+ schedule_work(&conn->work);
+ }
+
+@@ -349,6 +353,7 @@ void hci_conn_del_sysfs(struct hci_conn
+
+ INIT_WORK(&conn->work, del_conn);
+
++ queue_work(btdelconn, &conn->work);
+ schedule_work(&conn->work);
+ }
+
+@@ -398,31 +403,52 @@ int __init bt_sysfs_init(void)
+ {
+ int err;
+
++ btaddconn = create_singlethread_workqueue("btaddconn");
++ if (!btaddconn) {
++ err = -ENOMEM;
++ goto out;
++ }
++ btdelconn = create_singlethread_workqueue("btdelconn");
++ if (!btdelconn) {
++ err = -ENOMEM;
++ goto out_del;
++ }
++
+ bt_platform = platform_device_register_simple("bluetooth", -1, NULL, 0);
+- if (IS_ERR(bt_platform))
+- return PTR_ERR(bt_platform);
++ if (IS_ERR(bt_platform)) {
++ err = PTR_ERR(bt_platform);
++ goto out_platform;
++ }
+
+ err = bus_register(&bt_bus);
+- if (err < 0) {
+- platform_device_unregister(bt_platform);
+- return err;
+- }
++ if (err < 0)
++ goto out_bus;
+
+ bt_class = class_create(THIS_MODULE, "bluetooth");
+ if (IS_ERR(bt_class)) {
+- bus_unregister(&bt_bus);
+- platform_device_unregister(bt_platform);
+- return PTR_ERR(bt_class);
++ err = PTR_ERR(bt_class);
++ goto out_class;
+ }
+
+ return 0;
++
++out_class:
++ bus_unregister(&bt_bus);
++out_bus:
++ platform_device_unregister(bt_platform);
++out_platform:
++ destroy_workqueue(btdelconn);
++out_del:
++ destroy_workqueue(btaddconn);
++out:
++ return err;
+ }
+
+ void bt_sysfs_cleanup(void)
+ {
++ destroy_workqueue(btaddconn);
++ destroy_workqueue(btdelconn);
+ class_destroy(bt_class);
+-
+ bus_unregister(&bt_bus);
+-
+ platform_device_unregister(bt_platform);
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002044.870827432@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:08 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ James Morris <jmorris@namei.org>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 22/38] AUDIT: Increase skb->truesize in audit_expand
+Content-Disposition: inline; filename=audit-increase-skb-truesize-in-audit_expand.patch
+Status: RO
+Content-Length: 1495
+Lines: 49
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+Upstream commit: 406a1d868001423c85a3165288e566e65f424fe6
+
+The recent UDP patch exposed this bug in the audit code. It
+was calling pskb_expand_head without increasing skb->truesize.
+The caller of pskb_expand_head needs to do so because that function
+is designed to be called in places where truesize is already fixed
+and therefore it doesn't update its value.
+
+Because the audit system is using it in a place where the truesize
+has not yet been fixed, it needs to update its value manually.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: James Morris <jmorris@namei.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/audit.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1200,13 +1200,17 @@ struct audit_buffer *audit_log_start(str
+ static inline int audit_expand(struct audit_buffer *ab, int extra)
+ {
+ struct sk_buff *skb = ab->skb;
+- int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
+- ab->gfp_mask);
++ int oldtail = skb_tailroom(skb);
++ int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
++ int newtail = skb_tailroom(skb);
++
+ if (ret < 0) {
+ audit_log_lost("out of memory in audit_expand");
+ return 0;
+ }
+- return skb_tailroom(skb);
++
++ skb->truesize += newtail - oldtail;
++ return newtail;
+ }
+
+ /*
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.032119090@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:09 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jonathan Corbet <corbet@lwn.net>
+Subject: [patch 23/38] Be more robust about bad arguments in get_user_pages()
+Content-Disposition: inline; filename=be-more-robust-about-bad-arguments-in-get_user_pages.patch
+Status: RO
+Content-Length: 1723
+Lines: 48
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Jonathan Corbet <corbet@lwn.net>
+
+patch 900cf086fd2fbad07f72f4575449e0d0958f860f in mainline.
+
+So I spent a while pounding my head against my monitor trying to figure
+out the vmsplice() vulnerability - how could a failure to check for
+*read* access turn into a root exploit? It turns out that it's a buffer
+overflow problem which is made easy by the way get_user_pages() is
+coded.
+
+In particular, "len" is a signed int, and it is only checked at the
+*end* of a do {} while() loop. So, if it is passed in as zero, the loop
+will execute once and decrement len to -1. At that point, the loop will
+proceed until the next invalid address is found; in the process, it will
+likely overflow the pages array passed in to get_user_pages().
+
+I think that, if get_user_pages() has been asked to grab zero pages,
+that's what it should do. Thus this patch; it is, among other things,
+enough to block the (already fixed) root exploit and any others which
+might be lurking in similar code. I also think that the number of pages
+should be unsigned, but changing the prototype of this function probably
+requires some more careful review.
+
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -980,6 +980,8 @@ int get_user_pages(struct task_struct *t
+ int i;
+ unsigned int vm_flags;
+
++ if (len <= 0)
++ return 0;
+ /*
+ * Require read or write permissions.
+ * If 'force' is set, we only require the "MAY" flags.
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.189865536@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:10 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Benjamin Herrenschmidt <benh@kernel.crashing.org>,
+ Paul Mackerras <paulus@samba.org>
+Subject: [patch 24/38] Disable G5 NAP mode during SMU commands on U3
+Content-Disposition: inline; filename=disable-g5-nap-mode-during-smu-commands-on-u3.patch
+Status: RO
+Content-Length: 4682
+Lines: 145
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+patch 592a607bbc053bc6f614a0e619326009f4b3829e in mainline.
+
+It appears that with the U3 northbridge, if the processor is in NAP
+mode the whole time while waiting for an SMU command to complete,
+then the SMU will fail. It could be related to the weird backward
+mechanism the SMU uses to get to system memory via i2c to the
+northbridge that doesn't operate properly when the said bridge is
+in napping along with the CPU. That is on U3 at least, U4 doesn't
+seem to be affected.
+
+This didn't show before NO_HZ as the timer wakeup was enough to make
+it work it seems, but that is no longer the case.
+
+This fixes it by disabling NAP mode on those machines while
+an SMU command is in flight.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/platforms/powermac/feature.c | 11 ++++++++++-
+ drivers/macintosh/smu.c | 25 ++++++++++++++++++++++++-
+ include/asm-powerpc/pmac_feature.h | 8 ++++++++
+ 3 files changed, 42 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powermac/feature.c
++++ b/arch/powerpc/platforms/powermac/feature.c
+@@ -2565,6 +2565,8 @@ static void __init probe_uninorth(void)
+
+ /* Locate core99 Uni-N */
+ uninorth_node = of_find_node_by_name(NULL, "uni-n");
++ uninorth_maj = 1;
++
+ /* Locate G5 u3 */
+ if (uninorth_node == NULL) {
+ uninorth_node = of_find_node_by_name(NULL, "u3");
+@@ -2575,8 +2577,10 @@ static void __init probe_uninorth(void)
+ uninorth_node = of_find_node_by_name(NULL, "u4");
+ uninorth_maj = 4;
+ }
+- if (uninorth_node == NULL)
++ if (uninorth_node == NULL) {
++ uninorth_maj = 0;
+ return;
++ }
+
+ addrp = of_get_property(uninorth_node, "reg", NULL);
+ if (addrp == NULL)
+@@ -3029,3 +3033,8 @@ void pmac_resume_agp_for_card(struct pci
+ pmac_agp_resume(pmac_agp_bridge);
+ }
+ EXPORT_SYMBOL(pmac_resume_agp_for_card);
++
++int pmac_get_uninorth_variant(void)
++{
++ return uninorth_maj;
++}
+--- a/drivers/macintosh/smu.c
++++ b/drivers/macintosh/smu.c
+@@ -85,6 +85,7 @@ struct smu_device {
+ u32 cmd_buf_abs; /* command buffer absolute */
+ struct list_head cmd_list;
+ struct smu_cmd *cmd_cur; /* pending command */
++ int broken_nap;
+ struct list_head cmd_i2c_list;
+ struct smu_i2c_cmd *cmd_i2c_cur; /* pending i2c command */
+ struct timer_list i2c_timer;
+@@ -135,6 +136,19 @@ static void smu_start_cmd(void)
+ fend = faddr + smu->cmd_buf->length + 2;
+ flush_inval_dcache_range(faddr, fend);
+
++
++ /* We also disable NAP mode for the duration of the command
++ * on U3 based machines.
++ * This is slightly racy as it can be written back to 1 by a sysctl
++ * but that never happens in practice. There seem to be an issue with
++ * U3 based machines such as the iMac G5 where napping for the
++ * whole duration of the command prevents the SMU from fetching it
++ * from memory. This might be related to the strange i2c based
++ * mechanism the SMU uses to access memory.
++ */
++ if (smu->broken_nap)
++ powersave_nap = 0;
++
+ /* This isn't exactly a DMA mapping here, I suspect
+ * the SMU is actually communicating with us via i2c to the
+ * northbridge or the CPU to access RAM.
+@@ -211,6 +225,10 @@ static irqreturn_t smu_db_intr(int irq,
+ misc = cmd->misc;
+ mb();
+ cmd->status = rc;
++
++ /* Re-enable NAP mode */
++ if (smu->broken_nap)
++ powersave_nap = 1;
+ bail:
+ /* Start next command if any */
+ smu_start_cmd();
+@@ -461,7 +479,7 @@ int __init smu_init (void)
+ if (np == NULL)
+ return -ENODEV;
+
+- printk(KERN_INFO "SMU driver %s %s\n", VERSION, AUTHOR);
++ printk(KERN_INFO "SMU: Driver %s %s\n", VERSION, AUTHOR);
+
+ if (smu_cmdbuf_abs == 0) {
+ printk(KERN_ERR "SMU: Command buffer not allocated !\n");
+@@ -533,6 +551,11 @@ int __init smu_init (void)
+ goto fail;
+ }
+
++ /* U3 has an issue with NAP mode when issuing SMU commands */
++ smu->broken_nap = pmac_get_uninorth_variant() < 4;
++ if (smu->broken_nap)
++ printk(KERN_INFO "SMU: using NAP mode workaround\n");
++
+ sys_ctrler = SYS_CTRLER_SMU;
+ return 0;
+
+--- a/include/asm-powerpc/pmac_feature.h
++++ b/include/asm-powerpc/pmac_feature.h
+@@ -392,6 +392,14 @@ extern u32 __iomem *uninorth_base;
+ #define UN_BIS(r,v) (UN_OUT((r), UN_IN(r) | (v)))
+ #define UN_BIC(r,v) (UN_OUT((r), UN_IN(r) & ~(v)))
+
++/* Uninorth variant:
++ *
++ * 0 = not uninorth
++ * 1 = U1.x or U2.x
++ * 3 = U3
++ * 4 = U4
++ */
++extern int pmac_get_uninorth_variant(void);
+
+ #endif /* __ASM_POWERPC_PMAC_FEATURE_H */
+ #endif /* __KERNEL__ */
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.355228033@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:11 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oleg Nesterov <oleg@tv-sign.ru>,
+ Alexey Dobriyan <adobriyan@sw.ru>,
+ Michael Kerrisk <mtk.manpages@googlemail.com>,
+ Pavel Emelyanov <xemul@sw.ru>,
+ Peter Zijlstra <a.p.zijlstra@chello.nl>,
+ Toyo Abe <toyoa@mvista.com>,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 25/38] hrtimer: fix *rmtp handling in hrtimer_nanosleep()
+Content-Disposition: inline; filename=hrtimer-fix-rmtp-handling-in-hrtimer_nanosleep.patch
+Status: RO
+Content-Length: 5655
+Lines: 188
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Oleg Nesterov <oleg@tv-sign.ru>
+
+commit 080344b98805553f9b01de0f59a41b1533036d8d
+
+Spotted by Pavel Emelyanov and Alexey Dobriyan.
+
+hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
+the local variable which lives in the caller's stack frame. This means that
+if sys_restart_syscall() actually happens and it is interrupted as well, we
+don't update the user-space variable, but write into the already dead stack
+frame.
+
+Introduced by commit 04c227140fed77587432667a574b14736a06dd7f
+hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
+
+Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
+hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
+
+Small problem remains. man 2 nanosleep states that *rtmp should be written if
+nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
+if nanosleep returns 0), but (with or without this patch) we can dirty *rem
+even if nanosleep() returns 0.
+
+NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
+bugs. Fixed by the next patch.
+
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Alexey Dobriyan <adobriyan@sw.ru>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Cc: Pavel Emelyanov <xemul@sw.ru>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Toyo Abe <toyoa@mvista.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/hrtimer.h | 2 -
+ kernel/hrtimer.c | 51 +++++++++++++++++++++++++-----------------------
+ kernel/posix-timers.c | 17 ++--------------
+ 3 files changed, 31 insertions(+), 39 deletions(-)
+
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -300,7 +300,7 @@ hrtimer_forward(struct hrtimer *timer, k
+
+ /* Precise sleep: */
+ extern long hrtimer_nanosleep(struct timespec *rqtp,
+- struct timespec *rmtp,
++ struct timespec __user *rmtp,
+ const enum hrtimer_mode mode,
+ const clockid_t clockid);
+ extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -1291,11 +1291,26 @@ static int __sched do_nanosleep(struct h
+ return t->task == NULL;
+ }
+
++static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
++{
++ struct timespec rmt;
++ ktime_t rem;
++
++ rem = ktime_sub(timer->expires, timer->base->get_time());
++ if (rem.tv64 <= 0)
++ return 0;
++ rmt = ktime_to_timespec(rem);
++
++ if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
++ return -EFAULT;
++
++ return 1;
++}
++
+ long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
+ {
+ struct hrtimer_sleeper t;
+- struct timespec *rmtp;
+- ktime_t time;
++ struct timespec __user *rmtp;
+
+ restart->fn = do_no_restart_syscall;
+
+@@ -1305,12 +1320,11 @@ long __sched hrtimer_nanosleep_restart(s
+ if (do_nanosleep(&t, HRTIMER_MODE_ABS))
+ return 0;
+
+- rmtp = (struct timespec *)restart->arg1;
++ rmtp = (struct timespec __user *)restart->arg1;
+ if (rmtp) {
+- time = ktime_sub(t.timer.expires, t.timer.base->get_time());
+- if (time.tv64 <= 0)
+- return 0;
+- *rmtp = ktime_to_timespec(time);
++ int ret = update_rmtp(&t.timer, rmtp);
++ if (ret <= 0)
++ return ret;
+ }
+
+ restart->fn = hrtimer_nanosleep_restart;
+@@ -1319,12 +1333,11 @@ long __sched hrtimer_nanosleep_restart(s
+ return -ERESTART_RESTARTBLOCK;
+ }
+
+-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
++long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
+ const enum hrtimer_mode mode, const clockid_t clockid)
+ {
+ struct restart_block *restart;
+ struct hrtimer_sleeper t;
+- ktime_t rem;
+
+ hrtimer_init(&t.timer, clockid, mode);
+ t.timer.expires = timespec_to_ktime(*rqtp);
+@@ -1336,10 +1349,9 @@ long hrtimer_nanosleep(struct timespec *
+ return -ERESTARTNOHAND;
+
+ if (rmtp) {
+- rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
+- if (rem.tv64 <= 0)
+- return 0;
+- *rmtp = ktime_to_timespec(rem);
++ int ret = update_rmtp(&t.timer, rmtp);
++ if (ret <= 0)
++ return ret;
+ }
+
+ restart = ¤t_thread_info()->restart_block;
+@@ -1355,8 +1367,7 @@ long hrtimer_nanosleep(struct timespec *
+ asmlinkage long
+ sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
+ {
+- struct timespec tu, rmt;
+- int ret;
++ struct timespec tu;
+
+ if (copy_from_user(&tu, rqtp, sizeof(tu)))
+ return -EFAULT;
+@@ -1364,15 +1375,7 @@ sys_nanosleep(struct timespec __user *rq
+ if (!timespec_valid(&tu))
+ return -EINVAL;
+
+- ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
+- CLOCK_MONOTONIC);
+-
+- if (ret && rmtp) {
+- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+- return -EFAULT;
+- }
+-
+- return ret;
++ return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
+ }
+
+ /*
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -981,20 +981,9 @@ sys_clock_getres(const clockid_t which_c
+ static int common_nsleep(const clockid_t which_clock, int flags,
+ struct timespec *tsave, struct timespec __user *rmtp)
+ {
+- struct timespec rmt;
+- int ret;
+-
+- ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
+- flags & TIMER_ABSTIME ?
+- HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+- which_clock);
+-
+- if (ret && rmtp) {
+- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+- return -EFAULT;
+- }
+-
+- return ret;
++ return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ?
++ HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
++ which_clock);
+ }
+
+ asmlinkage long
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.523269013@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:12 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oleg Nesterov <oleg@tv-sign.ru>,
+ Alexey Dobriyan <adobriyan@sw.ru>,
+ Pavel Emelyanov <xemul@sw.ru>,
+ Peter Zijlstra <a.p.zijlstra@chello.nl>,
+ Toyo Abe <toyoa@mvista.com>,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 26/38] hrtimer: fix *rmtp/restarts handling in compat_sys_nanosleep()
+Content-Disposition: inline; filename=hrtimer-fix-rmtp-restarts-handling-in-compat_sys_nanosleep.patch
+Status: RO
+Content-Length: 2839
+Lines: 102
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Oleg Nesterov <oleg@tv-sign.ru>
+
+commit 416529374b4793ba2d2e97e736d108a2e0f3ef07
+
+Spotted by Pavel Emelyanov and Alexey Dobriyan.
+
+compat_sys_nanosleep() implicitly uses hrtimer_nanosleep_restart(), this can't
+work. Make a suitable compat_nanosleep_restart() helper.
+
+Introduced by commit c70878b4e0b6cf8d2f1e46319e48e821ef4a8aba
+hrtimer: hook compat_sys_nanosleep up to high res timer code
+
+Also, set ->addr_limit = KERNEL_DS before doing hrtimer_nanosleep(), this func
+was changed by the previous patch and now takes the "__user *" parameter.
+
+Thanks to Ingo Molnar for fixing the bug in this patch.
+
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexey Dobriyan <adobriyan@sw.ru>
+Cc: Pavel Emelyanov <xemul@sw.ru>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Toyo Abe <toyoa@mvista.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ kernel/compat.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -40,10 +40,36 @@ int put_compat_timespec(const struct tim
+ __put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
+ }
+
++static long compat_nanosleep_restart(struct restart_block *restart)
++{
++ struct compat_timespec __user *rmtp;
++ struct timespec rmt;
++ mm_segment_t oldfs;
++ long ret;
++
++ rmtp = (struct compat_timespec __user *)(restart->arg1);
++ restart->arg1 = (unsigned long)&rmt;
++ oldfs = get_fs();
++ set_fs(KERNEL_DS);
++ ret = hrtimer_nanosleep_restart(restart);
++ set_fs(oldfs);
++
++ if (ret) {
++ restart->fn = compat_nanosleep_restart;
++ restart->arg1 = (unsigned long)rmtp;
++
++ if (rmtp && put_compat_timespec(&rmt, rmtp))
++ return -EFAULT;
++ }
++
++ return ret;
++}
++
+ asmlinkage long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
+ struct compat_timespec __user *rmtp)
+ {
+ struct timespec tu, rmt;
++ mm_segment_t oldfs;
+ long ret;
+
+ if (get_compat_timespec(&tu, rqtp))
+@@ -52,11 +78,21 @@ asmlinkage long compat_sys_nanosleep(str
+ if (!timespec_valid(&tu))
+ return -EINVAL;
+
+- ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
+- CLOCK_MONOTONIC);
++ oldfs = get_fs();
++ set_fs(KERNEL_DS);
++ ret = hrtimer_nanosleep(&tu,
++ rmtp ? (struct timespec __user *)&rmt : NULL,
++ HRTIMER_MODE_REL, CLOCK_MONOTONIC);
++ set_fs(oldfs);
++
++ if (ret) {
++ struct restart_block *restart
++ = ¤t_thread_info()->restart_block;
++
++ restart->fn = compat_nanosleep_restart;
++ restart->arg1 = (unsigned long)rmtp;
+
+- if (ret && rmtp) {
+- if (put_compat_timespec(&rmt, rmtp))
++ if (rmtp && put_compat_timespec(&rmt, rmtp))
+ return -EFAULT;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.680844347@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:13 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christoph Lameter <clameter@sgi.com>
+Subject: [patch 27/38] SLUB: Deal with annoying gcc warning on kfree()
+Content-Disposition: inline; filename=slub-deal-with-annoying-gcc-warning-on-kfree.patch
+Status: RO
+Content-Length: 1011
+Lines: 40
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Christoph Lameter <clameter@sgi.com>
+
+patch 5bb983b0cce9b7b281af15730f7019116dd42568 in mainline.
+
+gcc 4.2 spits out an annoying warning if one casts a const void *
+pointer to a void * pointer. No warning is generated if the
+conversion is done through an assignment.
+
+Signed-off-by: Christoph Lameter <clameter@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/slub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -2592,6 +2592,7 @@ EXPORT_SYMBOL(ksize);
+ void kfree(const void *x)
+ {
+ struct page *page;
++ void *object = (void *)x;
+
+ if (unlikely(ZERO_OR_NULL_PTR(x)))
+ return;
+@@ -2601,7 +2602,7 @@ void kfree(const void *x)
+ put_page(page);
+ return;
+ }
+- slab_free(page->slab, page, (void *)x, __builtin_return_address(0));
++ slab_free(page->slab, page, object, __builtin_return_address(0));
+ }
+ EXPORT_SYMBOL(kfree);
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:45 2008
+Message-Id: <20080223002045.841858596@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:14 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 28/38] hrtimer: check relative timeouts for overflow
+Content-Disposition: inline; filename=hrtimer-check-relative-timeouts-for-overflow.patch
+Status: RO
+Content-Length: 4529
+Lines: 153
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit: 5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
+
+Various user space callers ask for relative timeouts. While we fixed
+that overflow issue in hrtimer_start(), the sites which convert
+relative user space values to absolute timeouts themself were uncovered.
+
+Instead of putting overflow checks into each place add a function
+which does the sanity checking and convert all affected callers to use
+it.
+
+Thanks to Frans Pop, who reported the problem and tested the fixes.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Tested-by: Frans Pop <elendil@planet.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ include/linux/ktime.h | 2 ++
+ kernel/futex.c | 2 +-
+ kernel/futex_compat.c | 2 +-
+ kernel/hrtimer.c | 38 +++++++++++++++++++++-----------------
+ kernel/posix-timers.c | 8 +++++---
+ 5 files changed, 30 insertions(+), 22 deletions(-)
+
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -310,6 +310,8 @@ static inline ktime_t ktime_sub_us(const
+ return ktime_sub_ns(kt, usec * 1000);
+ }
+
++extern ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs);
++
+ /*
+ * The resolution of the clocks. The resolution value is returned in
+ * the clock_getres() system call to give application programmers an
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2094,7 +2094,7 @@ asmlinkage long sys_futex(u32 __user *ua
+
+ t = timespec_to_ktime(ts);
+ if (cmd == FUTEX_WAIT)
+- t = ktime_add(ktime_get(), t);
++ t = ktime_add_safe(ktime_get(), t);
+ tp = &t;
+ }
+ /*
+--- a/kernel/futex_compat.c
++++ b/kernel/futex_compat.c
+@@ -175,7 +175,7 @@ asmlinkage long compat_sys_futex(u32 __u
+
+ t = timespec_to_ktime(ts);
+ if (cmd == FUTEX_WAIT)
+- t = ktime_add(ktime_get(), t);
++ t = ktime_add_safe(ktime_get(), t);
+ tp = &t;
+ }
+ if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE)
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -325,6 +325,24 @@ unsigned long ktime_divns(const ktime_t
+ }
+ #endif /* BITS_PER_LONG >= 64 */
+
++/*
++ * Add two ktime values and do a safety check for overflow:
++ */
++
++ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
++{
++ ktime_t res = ktime_add(lhs, rhs);
++
++ /*
++ * We use KTIME_SEC_MAX here, the maximum timeout which we can
++ * return to user space in a timespec:
++ */
++ if (res.tv64 < 0 || res.tv64 < lhs.tv64 || res.tv64 < rhs.tv64)
++ res = ktime_set(KTIME_SEC_MAX, 0);
++
++ return res;
++}
++
+ /* High resolution timer related functions */
+ #ifdef CONFIG_HIGH_RES_TIMERS
+
+@@ -682,13 +700,7 @@ hrtimer_forward(struct hrtimer *timer, k
+ */
+ orun++;
+ }
+- timer->expires = ktime_add(timer->expires, interval);
+- /*
+- * Make sure, that the result did not wrap with a very large
+- * interval.
+- */
+- if (timer->expires.tv64 < 0)
+- timer->expires = ktime_set(KTIME_SEC_MAX, 0);
++ timer->expires = ktime_add_safe(timer->expires, interval);
+
+ return orun;
+ }
+@@ -839,7 +851,7 @@ hrtimer_start(struct hrtimer *timer, kti
+ new_base = switch_hrtimer_base(timer, base);
+
+ if (mode == HRTIMER_MODE_REL) {
+- tim = ktime_add(tim, new_base->get_time());
++ tim = ktime_add_safe(tim, new_base->get_time());
+ /*
+ * CONFIG_TIME_LOW_RES is a temporary way for architectures
+ * to signal that they simply return xtime in
+@@ -848,16 +860,8 @@ hrtimer_start(struct hrtimer *timer, kti
+ * timeouts. This will go away with the GTOD framework.
+ */
+ #ifdef CONFIG_TIME_LOW_RES
+- tim = ktime_add(tim, base->resolution);
++ tim = ktime_add_safe(tim, base->resolution);
+ #endif
+- /*
+- * Careful here: User space might have asked for a
+- * very long sleep, so the add above might result in a
+- * negative number, which enqueues the timer in front
+- * of the queue.
+- */
+- if (tim.tv64 < 0)
+- tim.tv64 = KTIME_MAX;
+ }
+ timer->expires = tim;
+
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -766,9 +766,11 @@ common_timer_set(struct k_itimer *timr,
+ /* SIGEV_NONE timers are not queued ! See common_timer_get */
+ if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
+ /* Setup correct expiry time for relative timers */
+- if (mode == HRTIMER_MODE_REL)
+- timer->expires = ktime_add(timer->expires,
+- timer->base->get_time());
++ if (mode == HRTIMER_MODE_REL) {
++ timer->expires =
++ ktime_add_safe(timer->expires,
++ timer->base->get_time());
++ }
+ return 0;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.004036749@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:15 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 29/38] hrtimer: catch expired CLOCK_REALTIME timers early
+Content-Disposition: inline; filename=hrtimer-catch-expired-clock_realtime-timers-early.patch
+Status: RO
+Content-Length: 1668
+Lines: 57
+
+
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 63070a79ba482c274bad10ac8c4b587a3e011f2c
+
+A CLOCK_REALTIME timer, which has an absolute expiry time less than
+the clock realtime offset calls with a negative delta into the clock
+events code and triggers the WARN_ON() there.
+
+This is a false positive and needs to be prevented. Check the result
+of timer->expires - timer->base->offset right away and return -ETIME
+right away.
+
+Thanks to Frans Pop, who reported the problem and tested the fixes.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Frans Pop <elendil@planet.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -427,6 +427,8 @@ static int hrtimer_reprogram(struct hrti
+ ktime_t expires = ktime_sub(timer->expires, base->offset);
+ int res;
+
++ WARN_ON_ONCE(timer->expires.tv64 < 0);
++
+ /*
+ * When the callback is running, we do not reprogram the clock event
+ * device. The timer callback is either running on a different CPU or
+@@ -437,6 +439,15 @@ static int hrtimer_reprogram(struct hrti
+ if (hrtimer_callback_running(timer))
+ return 0;
+
++ /*
++ * CLOCK_REALTIME timer might be requested with an absolute
++ * expiry time which is less than base->offset. Nothing wrong
++ * about that, just avoid to call into the tick code, which
++ * has now objections against negative expiry values.
++ */
++ if (expires.tv64 < 0)
++ return -ETIME;
++
+ if (expires.tv64 >= expires_next->tv64)
+ return 0;
+
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.175975502@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:16 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 30/38] genirq: do not leave interupts enabled on free_irq
+Content-Disposition: inline; filename=genirq-do-not-leave-interupts-enabled-on-free_irq.patch
+Status: RO
+Content-Length: 2272
+Lines: 75
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 89d694b9dbe769ca1004e01db0ca43964806a611
+
+The default_disable() function was changed in commit:
+
+ 76d2160147f43f982dfe881404cfde9fd0a9da21
+ genirq: do not mask interrupts by default
+
+It removed the mask function in favour of the default delayed
+interrupt disabling. Unfortunately this also broke the shutdown in
+free_irq() when the last handler is removed from the interrupt for
+those architectures which rely on the default implementations. Now we
+can end up with a enabled interrupt line after the last handler was
+removed, which can result in spurious interrupts.
+
+Fix this by adding a default_shutdown function, which is only
+installed, when the irqchip implementation does provide neither a
+shutdown nor a disable function.
+
+
+Pointed-out-by: Michael Hennerich <Michael.Hennerich@analog.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Tested-by: Michael Hennerich <Michael.Hennerich@analog.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ kernel/irq/chip.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/chip.c
++++ b/kernel/irq/chip.c
+@@ -246,6 +246,17 @@ static unsigned int default_startup(unsi
+ }
+
+ /*
++ * default shutdown function
++ */
++static void default_shutdown(unsigned int irq)
++{
++ struct irq_desc *desc = irq_desc + irq;
++
++ desc->chip->mask(irq);
++ desc->status |= IRQ_MASKED;
++}
++
++/*
+ * Fixup enable/disable function pointers
+ */
+ void irq_chip_set_defaults(struct irq_chip *chip)
+@@ -256,8 +267,15 @@ void irq_chip_set_defaults(struct irq_ch
+ chip->disable = default_disable;
+ if (!chip->startup)
+ chip->startup = default_startup;
++ /*
++ * We use chip->disable, when the user provided its own. When
++ * we have default_disable set for chip->disable, then we need
++ * to use default_shutdown, otherwise the irq line is not
++ * disabled on free_irq():
++ */
+ if (!chip->shutdown)
+- chip->shutdown = chip->disable;
++ chip->shutdown = chip->disable != default_disable ?
++ chip->disable : default_shutdown;
+ if (!chip->name)
+ chip->name = chip->typename;
+ if (!chip->end)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.338820151@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:17 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Heiko Carstens <heiko.carstens@de.ibm.com>,
+ Martin Schwidefsky <schwidefsky@de.ibm.com>
+Subject: [patch 31/38] S390: Fix futex_atomic_cmpxchg_std inline assembly.
+Content-Disposition: inline; filename=s390-fix-futex_atomic_cmpxchg_std-inline-assembly.patch
+Status: RO
+Content-Length: 1201
+Lines: 40
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit: d5b02b3ff1d9a2e1074f559c84ed378cfa6fc3c0 upstream
+
+Add missing exception table entry so that the kernel can handle
+proctection exceptions as well on the cs instruction. Currently only
+specification exceptions are handled correctly.
+The missing entry allows user space to crash the kernel.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/lib/uaccess_std.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/lib/uaccess_std.c
++++ b/arch/s390/lib/uaccess_std.c
+@@ -293,10 +293,10 @@ int futex_atomic_cmpxchg_std(int __user
+
+ asm volatile(
+ " sacf 256\n"
+- " cs %1,%4,0(%5)\n"
+- "0: lr %0,%1\n"
+- "1: sacf 0\n"
+- EX_TABLE(0b,1b)
++ "0: cs %1,%4,0(%5)\n"
++ "1: lr %0,%1\n"
++ "2: sacf 0\n"
++ EX_TABLE(0b,2b) EX_TABLE(1b,2b)
+ : "=d" (ret), "+d" (oldval), "=m" (*uaddr)
+ : "0" (-EFAULT), "d" (newval), "a" (uaddr), "m" (*uaddr)
+ : "cc", "memory" );
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.501226616@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:18 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oliver Neukum <oneukum@suse.de>,
+ Pete Zaitcev <zaitcev@redhat.com>
+Subject: [patch 32/38] USB: fix pm counter leak in usblp
+Content-Disposition: inline; filename=usb-fix-pm-counter-leak-in-usblp.patch
+Status: RO
+Content-Length: 775
+Lines: 30
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Oliver Neukum <oliver@neukum.org>
+
+commit 1902869019918411c148c18cc3a22aade569ac9a upstream
+
+if you fail in open() you must decrement the pm counter again.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/usblp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -428,6 +428,7 @@ static int usblp_open(struct inode *inod
+ usblp->rcomplete = 0;
+
+ if (handle_bidir(usblp) < 0) {
++ usb_autopm_put_interface(intf);
+ usblp->used = 0;
+ file->private_data = NULL;
+ retval = -EIO;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.667937190@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:19 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Boaz Harrosh <bharrosh@panasas.com>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>
+Subject: [patch 33/38] SCSI: gdth: scan for scsi devices
+Content-Disposition: inline; filename=scsi-gdth-scan-for-scsi-devices.patch
+Status: RO
+Content-Length: 1536
+Lines: 61
+
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Boaz Harrosh <bharrosh@panasas.com>
+
+commit: 61c92814dc324b541391757062ff02fbf3b08086
+
+The patch: "gdth: switch to modern scsi host registration"
+
+missed one simple fact when moving a way from scsi_module.c.
+That is to call scsi_scan_host() on the probed host.
+With this the gdth driver from 2.6.24 is again able to
+see drives and boot.
+
+Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
+Tested-by: Joerg Dorchain <joerg@dorchain.net>
+Tested-by: Stefan Priebe <s.priebe@allied-internet.ag>
+Tested-by: Jon Chelton <jchelton@ffpglobal.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/gdth.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4838,6 +4838,9 @@ static int __init gdth_isa_probe_one(ulo
+ if (error)
+ goto out_free_coal_stat;
+ list_add_tail(&ha->list, &gdth_instances);
++
++ scsi_scan_host(shp);
++
+ return 0;
+
+ out_free_coal_stat:
+@@ -4965,6 +4968,9 @@ static int __init gdth_eisa_probe_one(us
+ if (error)
+ goto out_free_coal_stat;
+ list_add_tail(&ha->list, &gdth_instances);
++
++ scsi_scan_host(shp);
++
+ return 0;
+
+ out_free_ccb_phys:
+@@ -5102,6 +5108,9 @@ static int __init gdth_pci_probe_one(gdt
+ if (error)
+ goto out_free_coal_stat;
+ list_add_tail(&ha->list, &gdth_instances);
++
++ scsi_scan_host(shp);
++
+ return 0;
+
+ out_free_coal_stat:
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:46 2008
+Message-Id: <20080223002046.826313952@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:20 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sam Ravnborg <sam@ravnborg.org>,
+ Arjan van de Ven <arjan@infradead.org>
+Subject: [patch 34/38] kbuild: allow -fstack-protector to take effect
+Content-Disposition: inline; filename=kbuild-allow-fstack-protector-to-take-effect.patch
+Status: RO
+Content-Length: 2163
+Lines: 67
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Sam Ravnborg <sam@ravnborg.org>
+
+commit: e06b8b98da071f7dd78fb7822991694288047df0
+
+Arjan van de Ven <arjan@infradead.org> wrote:
+===
+I just read the excellent LWN writeup of the vmsplice
+security thing, and that got me wondering why this attack
+wasn't stopped by the CONFIG_CC_STACKPROTECTOR option...
+because it plain should have been...
+
+Some analysis later.. it turns out that the following line
+in the top level Makefile, added by you in October 2007,
+entirely disables CONFIG_CC_STACKPROTECTOR ;(
+With this line removed the exploit will be nicely stopped.
+
+CFLAGS += $(call cc-option, -fno-stack-protector)
+
+Now I realize that certain distros have patched gcc to
+compensate for their lack of distro wide CFLAGS, and it's
+great to work around that... but would there be a way to NOT
+disable this for CONFIG_CC_STACKPROTECTOR please?
+It would have made this exploit not possible for those kernels
+that enable this feature (and that includes distros like Fedora)
+===
+
+Move the assignment to KBUILD_CFLAGS up before including
+the arch specific Makefile so arch makefiles may override
+the setting.
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Arjan van de Ven <arjan@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ Makefile | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -507,6 +507,10 @@ else
+ KBUILD_CFLAGS += -O2
+ endif
+
++# Force gcc to behave correct even for buggy distributions
++# Arch Makefiles may override this setting
++KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
++
+ include $(srctree)/arch/$(SRCARCH)/Makefile
+
+ ifdef CONFIG_FRAME_POINTER
+@@ -520,9 +524,6 @@ KBUILD_CFLAGS += -g
+ KBUILD_AFLAGS += -gdwarf-2
+ endif
+
+-# Force gcc to behave correct even for buggy distributions
+-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+-
+ # arch Makefile may override CC so keep this after arch Makefile is included
+ NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
+ CHECKFLAGS += $(NOSTDINC_FLAGS)
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:47 2008
+Message-Id: <20080223002046.985979985@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:21 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jeff Garzik <jeff@garzik.org>
+Subject: [patch 35/38] PCMCIA: Fix station address detection in smc
+Content-Disposition: inline; filename=pcmcia-fix-station-address-detection-in-smc.patch
+Status: RO
+Content-Length: 1675
+Lines: 51
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Chuck Ebbert <cebbert@redhat.com>
+
+Commit: a1a98b72dbd17e53cd92b8e78f404525ebcfd981
+
+Fix station address detection in smc
+
+Megahertz EM1144 PCMCIA ethernet adapter needs special handling
+because it has two VERS_1 tuples and the station address is in
+the second one. Conversion to generic handling of these fields
+broke it. Reverting that fixes the device.
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=233255
+
+Thanks go to Jon Stanley for not giving up on this one until the
+problem was found.
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/pcmcia/smc91c92_cs.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/pcmcia/smc91c92_cs.c
++++ b/drivers/net/pcmcia/smc91c92_cs.c
+@@ -559,8 +559,16 @@ static int mhz_setup(struct pcmcia_devic
+
+ /* Read the station address from the CIS. It is stored as the last
+ (fourth) string in the Version 1 Version/ID tuple. */
+- if (link->prod_id[3]) {
+- station_addr = link->prod_id[3];
++ tuple->DesiredTuple = CISTPL_VERS_1;
++ if (first_tuple(link, tuple, parse) != CS_SUCCESS) {
++ rc = -1;
++ goto free_cfg_mem;
++ }
++ /* Ugh -- the EM1144 card has two VERS_1 tuples!?! */
++ if (next_tuple(link, tuple, parse) != CS_SUCCESS)
++ first_tuple(link, tuple, parse);
++ if (parse->version_1.ns > 3) {
++ station_addr = parse->version_1.str + parse->version_1.ofs[3];
+ if (cvt_ascii_address(dev, station_addr) == 0) {
+ rc = 0;
+ goto free_cfg_mem;
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:47 2008
+Message-Id: <20080223002047.150693517@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:22 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Paul Mackerras <paulus@samba.org>,
+ Olaf Hering <olaf@aepfle.de>
+Subject: [patch 36/38] POWERPC: Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos
+Content-Disposition: inline; filename=powerpc-revert-chrp_pci_fixup_vt8231_ata-devinit-to-fix-libata-on-pegasos.patch
+Status: RO
+Content-Length: 1625
+Lines: 46
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Olaf Hering <olaf@aepfle.de>
+
+Commit: 092ca5bd61da6344f3b249754b337f2d48dfe08d
+
+[POWERPC] Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos
+
+Commit 6d98bda79bea0e1be26c0767d0e9923ad3b72f2e changed the init order
+for chrp_pci_fixup_vt8231_ata().
+
+It can not work anymore because either the irq is not yet set to 14 or
+pci_get_device() returns nothing. At least the printk() in
+chrp_pci_fixup_vt8231_ata() does not trigger anymore.
+pata_via works again on Pegasos with the change below.
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/platforms/chrp/pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/chrp/pci.c
++++ b/arch/powerpc/platforms/chrp/pci.c
+@@ -354,7 +354,7 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_WI
+ * mode as well. The same fixup must be done to the class-code property in
+ * the IDE node /pci@80000000/ide@C,1
+ */
+-static void __devinit chrp_pci_fixup_vt8231_ata(struct pci_dev *viaide)
++static void chrp_pci_fixup_vt8231_ata(struct pci_dev *viaide)
+ {
+ u8 progif;
+ struct pci_dev *viaisa;
+@@ -375,4 +375,4 @@ static void __devinit chrp_pci_fixup_vt8
+
+ pci_dev_put(viaisa);
+ }
+-DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, chrp_pci_fixup_vt8231_ata);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, chrp_pci_fixup_vt8231_ata);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:47 2008
+Message-Id: <20080223002047.309638858@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:23 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jay Vosburgh <fubar@us.ibm.com>,
+ Jeff Garzik <jeff@garzik.org>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 37/38] bonding: fix NULL pointer deref in startup processing
+Content-Disposition: inline; filename=bonding-fix-null-pointer-deref-in-startup-processing.patch
+Status: RO
+Content-Length: 1523
+Lines: 50
+
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Jay Vosburgh <fubar@us.ibm.com>
+
+patch 4fe4763cd8cacd81d892193efb48b99c99c15323 in mainline.
+
+ Fix the "are we creating a duplicate" check to not compare
+the name if the name is NULL (meaning that the system should select
+a name). Bug reported by Benny Amorsen <benny+usenet@amorsen.dk>.
+
+Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bonding/bond_main.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4883,14 +4883,16 @@ int bond_create(char *name, struct bond_
+ down_write(&bonding_rwsem);
+
+ /* Check to see if the bond already exists. */
+- list_for_each_entry_safe(bond, nxt, &bond_dev_list, bond_list)
+- if (strnicmp(bond->dev->name, name, IFNAMSIZ) == 0) {
+- printk(KERN_ERR DRV_NAME
++ if (name) {
++ list_for_each_entry_safe(bond, nxt, &bond_dev_list, bond_list)
++ if (strnicmp(bond->dev->name, name, IFNAMSIZ) == 0) {
++ printk(KERN_ERR DRV_NAME
+ ": cannot add bond %s; it already exists\n",
+- name);
+- res = -EPERM;
+- goto out_rtnl;
+- }
++ name);
++ res = -EPERM;
++ goto out_rtnl;
++ }
++ }
+
+ bond_dev = alloc_netdev(sizeof(struct bonding), name ? name : "",
+ ether_setup);
+
+--
+
+From gregkh@mini.kroah.org Fri Feb 22 16:20:47 2008
+Message-Id: <20080223002047.500493981@mini.kroah.org>
+References: <20080223001946.979768610@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 22 Feb 2008 16:20:24 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Andi Kleen <andi@firstfloor.org>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 38/38] x86_64: CPA, fix cache attribute inconsistency bug
+Content-Disposition: inline; filename=x86_64-cpa-fix-cache-attribute-inconsistency-bug.patch
+Status: RO
+Content-Length: 2074
+Lines: 58
+
+2.6.24-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ingo Molnar <mingo@elte.hu>
+
+(no matching git id as the upstream code is rewritten)
+
+fix CPA cache attribute bug in v2.6.24. When phys_base is nonzero (when
+CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates the
+secondary alias address by -14 MB (depending on the configured offset).
+
+The default 64-bit kernels of Fedora and Ubuntu are affected:
+
+ $ grep RELOCA /boot/config-2.6.23.9-85.fc8
+ CONFIG_RELOCATABLE=y
+
+ $ grep RELOC /boot/config-2.6.22-14-generic
+ CONFIG_RELOCATABLE=y
+
+and probably on many other distros as well.
+
+the bug affects all pages in the first 40 MB of physical RAM that
+are allocated by some subsystem that does ioremap_nocache() on them:
+
+ if (__pa(address) < KERNEL_TEXT_SIZE) {
+
+Hence we might leave page table entries with inconsistent cache
+attributes around (pages mapped at both UnCacheable and Write-Back),
+and we can also set the wrong kernel text pages to UnCacheable.
+
+the effects of this bug can be random slowdowns and other misbehavior.
+If for example AGP allocates its aperture pages into the first 40 MB
+of physical RAM, then the -14 MB bug might mark random kernel texto
+pages as uncacheable, slowing down a random portion of the 64-bit
+kernel until the AGP driver is unloaded.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/pageattr_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/pageattr_64.c
++++ b/arch/x86/mm/pageattr_64.c
+@@ -207,7 +207,7 @@ int change_page_attr_addr(unsigned long
+ if (__pa(address) < KERNEL_TEXT_SIZE) {
+ unsigned long addr2;
+ pgprot_t prot2;
+- addr2 = __START_KERNEL_map + __pa(address);
++ addr2 = __START_KERNEL_map + __pa(address) - phys_base;
+ /* Make sure the kernel mappings stay executable */
+ prot2 = pte_pgprot(pte_mkexec(pfn_pte(0, prot)));
+ err = __change_page_attr(addr2, pfn, prot2,
+
+--
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
