From: Greg Kroah-Hartman Date: Tue, 29 Apr 2008 17:20:35 +0000 (-0700) Subject: started 2.6.25 review cycle X-Git-Tag: v2.6.25.1~5 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f0f9058d04425096ab34e0d08c874996d8beb451;p=thirdparty%2Fkernel%2Fstable-queue.git started 2.6.25 review cycle --- diff --git a/queue-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch b/review-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch similarity index 100% rename from queue-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch rename to review-2.6.25/aio-io_getevents-should-return-if-io_destroy-is-invoked.patch diff --git a/queue-2.6.25/alpha-unbreak-osf-1-binaries.patch b/review-2.6.25/alpha-unbreak-osf-1-binaries.patch similarity index 100% rename from queue-2.6.25/alpha-unbreak-osf-1-binaries.patch rename to review-2.6.25/alpha-unbreak-osf-1-binaries.patch diff --git a/queue-2.6.25/b43-add-more-btcoexist-workarounds.patch b/review-2.6.25/b43-add-more-btcoexist-workarounds.patch similarity index 100% rename from queue-2.6.25/b43-add-more-btcoexist-workarounds.patch rename to review-2.6.25/b43-add-more-btcoexist-workarounds.patch diff --git a/queue-2.6.25/b43-workaround-dma-quirks.patch b/review-2.6.25/b43-workaround-dma-quirks.patch similarity index 100% rename from queue-2.6.25/b43-workaround-dma-quirks.patch rename to review-2.6.25/b43-workaround-dma-quirks.patch diff --git a/queue-2.6.25/b43-workaround-invalid-bluetooth-settings.patch b/review-2.6.25/b43-workaround-invalid-bluetooth-settings.patch similarity index 100% rename from queue-2.6.25/b43-workaround-invalid-bluetooth-settings.patch rename to review-2.6.25/b43-workaround-invalid-bluetooth-settings.patch diff --git a/queue-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch b/review-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch similarity index 100% rename from queue-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch rename to review-2.6.25/cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch diff --git a/queue-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch b/review-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch similarity index 100% rename from queue-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch rename to review-2.6.25/dm-snapshot-fix-chunksize-sector-conversion.patch diff --git a/queue-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch b/review-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch similarity index 100% rename from queue-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch rename to review-2.6.25/dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch diff --git a/queue-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch b/review-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch similarity index 100% rename from queue-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch rename to review-2.6.25/hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch diff --git a/queue-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch b/review-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch similarity index 100% rename from queue-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch rename to review-2.6.25/hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch diff --git a/queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch b/review-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch similarity index 100% rename from queue-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch rename to review-2.6.25/ipsec-fix-catch-22-with-algorithm-ids-above-31.patch diff --git a/queue-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch b/review-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch similarity index 100% rename from queue-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch rename to review-2.6.25/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch diff --git a/review-2.6.25/mbox b/review-2.6.25/mbox new file mode 100644 index 00000000000..ba2dcdd0805 --- /dev/null +++ b/review-2.6.25/mbox @@ -0,0 +1,3318 @@ +From gregkh@mini.kroah.org Tue Apr 29 10:14:52 2008 +Message-Id: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [00/37] 2.6.25-stable review +Status: RO +Content-Length: 3157 +Lines: 70 + +This is the start of the stable review cycle for the 2.6.25.1 release. +There are 37 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Thursday, May 1 16:00:00 UTC. Anything +received after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.1-rc1.gz +and the diffstat can be found below. + + +thanks, + +the -stable release team + +--------------------- + + Makefile | 2 + arch/alpha/kernel/osf_sys.c | 1 + arch/x86/kernel/io_apic_32.c | 1 + arch/x86/pci/irq.c | 12 ++--- + drivers/infiniband/hw/nes/nes.c | 4 - + drivers/infiniband/hw/nes/nes_cm.c | 6 +- + drivers/infiniband/hw/nes/nes_hw.c | 20 ++++----- + drivers/md/dm-exception-store.c | 2 + drivers/media/video/cx88/cx88-cards.c | 4 + + drivers/media/video/ivtv/ivtv-ioctl.c | 3 - + drivers/media/video/tea5761.c | 15 ++++-- + drivers/media/video/tuner-core.c | 6 +- + drivers/net/s2io.c | 4 - + drivers/net/tehuti.c | 15 ++++++ + drivers/net/tg3.c | 52 ++++++++++++++++++++++-- + drivers/net/tg3.h | 1 + drivers/net/wireless/b43/dma.c | 73 ++++++++++++++++++++++++---------- + drivers/net/wireless/b43/main.c | 28 ++++++++++++- + drivers/rtc/rtc-pcf8583.c | 2 + drivers/scsi/qla2xxx/qla_os.c | 2 + drivers/serial/dz.c | 2 + drivers/ssb/pci.c | 5 ++ + drivers/usb/core/hub.c | 1 + drivers/usb/host/ohci-pci.c | 4 + + drivers/usb/serial/sierra.c | 1 + fs/aio.c | 12 +++++ + fs/jffs2/erase.c | 18 +++----- + include/linux/rtnetlink.h | 4 - + include/net/tcp.h | 7 ++- + include/net/xfrm.h | 3 + + kernel/cgroup.c | 7 ++- + kernel/hrtimer.c | 34 +++++++++++++-- + mm/pagewalk.c | 8 ++- + net/can/raw.c | 3 - + net/core/rtnetlink.c | 6 ++ + net/dccp/probe.c | 2 + net/ipv4/tcp_probe.c | 9 +--- + net/key/af_key.c | 2 + net/rose/af_rose.c | 6 +- + net/tipc/socket.c | 4 - + net/xfrm/xfrm_policy.c | 2 + net/xfrm/xfrm_user.c | 2 + security/selinux/hooks.c | 15 +++++- + 43 files changed, 307 insertions(+), 103 deletions(-) + + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.006146860@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern +Subject: [01/37] USB: log an error message when USB enumeration fails +Content-Disposition: inline; filename=usb-log-an-error-message-when-usb-enumeration-fails.patch +Content-Length: 758 +Lines: 32 + + +2.6.25-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Alan Stern + +commit: 6427f7995338387ddded92f98adec19ddbf0ae5e + +This patch (as1077) logs an error message whenever the kernel is +unable to enumerate a new USB device. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2664,6 +2664,7 @@ loop: + if ((status == -ENOTCONN) || (status == -ENOTSUPP)) + break; + } ++ dev_err(hub_dev, "unable to enumerate USB device on port %d\n", port1); + + done: + hub_port_disable(hub, port1, 1); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.171417306@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stefan Seyfried +Subject: [02/37] USB: Add HP hs2300 Broadband Wireless Module to sierra.c +Content-Disposition: inline; filename=usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch +Content-Length: 1052 +Lines: 31 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ + +From: Stefan Seyfried + +commit 8f7f85e9f9561507b009d26395c53e70758695ec upstream + +Add the HP hs2300 Broadband Wireless Module (relabeled MC8775) USB IDs + +Signed-off-by: Stefan Seyfried +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/sierra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -164,6 +164,7 @@ static struct usb_device_id id_table [] + { USB_DEVICE(0x1199, 0x6812) }, /* Sierra Wireless MC8775 & AC 875U */ + { USB_DEVICE(0x1199, 0x6813) }, /* Sierra Wireless MC8775 (Thinkpad internal) */ + { USB_DEVICE(0x1199, 0x6815) }, /* Sierra Wireless MC8775 */ ++ { USB_DEVICE(0x03f0, 0x1e1d) }, /* HP hs2300 a.k.a MC8775 */ + { USB_DEVICE(0x1199, 0x6820) }, /* Sierra Wireless AirCard 875 */ + { USB_DEVICE(0x1199, 0x6832) }, /* Sierra Wireless MC8780*/ + { USB_DEVICE(0x1199, 0x6833) }, /* Sierra Wireless MC8781*/ + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.332153378@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Martin Creutziger , + Damir Shayhutdinov , + linux-mtd , + David Woodhouse +Subject: [03/37] JFFS2: Fix free space leak with in-band cleanmarkers +Content-Disposition: inline; filename=jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch +Content-Length: 2444 +Lines: 73 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David Woodhouse + +We were accounting for the cleanmarker by calling jffs2_link_node_ref() +(without locking!), which adjusted both superblock and per-eraseblock +accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size +and adding it to {jeb,c}->used_size. + +But only _then_ were we adding the size of the newly-erased block back +to the superblock counts, and we were adding each of jeb->{free,used}_size +to the corresponding superblock counts. Thus, the size of the cleanmarker +was effectively subtracted from the superblock's free_size _twice_. + +Fix this, by always adding a full eraseblock size to c->free_size when +we've erased a block. And call jffs2_link_node_ref() under the proper +lock, while we're at it. + +Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost) +pinpointing the problem. + +[Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7] + +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/erase.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -419,9 +419,6 @@ static void jffs2_mark_erased_block(stru + if (jffs2_write_nand_cleanmarker(c, jeb)) + goto filebad; + } +- +- /* Everything else got zeroed before the erase */ +- jeb->free_size = c->sector_size; + } else { + + struct kvec vecs[1]; +@@ -449,18 +446,19 @@ static void jffs2_mark_erased_block(stru + + goto filebad; + } +- +- /* Everything else got zeroed before the erase */ +- jeb->free_size = c->sector_size; +- /* FIXME Special case for cleanmarker in empty block */ +- jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL); + } ++ /* Everything else got zeroed before the erase */ ++ jeb->free_size = c->sector_size; + + down(&c->erase_free_sem); + spin_lock(&c->erase_completion_lock); ++ + c->erasing_size -= c->sector_size; +- c->free_size += jeb->free_size; +- c->used_size += jeb->used_size; ++ c->free_size += c->sector_size; ++ ++ /* Account for cleanmarker now, if it's in-band */ ++ if (c->cleanmarker_size && !jffs2_cleanmarker_oob(c)) ++ jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL); + + jffs2_dbg_acct_sanity_check_nolock(c,jeb); + jffs2_dbg_acct_paranoia_check_nolock(c, jeb); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.500349894@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Matt Carlson , + Michael Chan , + "David S. Miller" +Subject: [04/37] tg3: 5701 DMA corruption fix +Content-Disposition: inline; filename=tg3-5701-dma-corruption-fix.patch +Content-Length: 3837 +Lines: 126 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Matt Carlson + +[ Upstream commit: 41588ba1ae166eaba0a70abf2d7ff064ad9331d3 ] + +Herbert Xu's commit fb93134dfc2a6e6fbedc7c270a31da03fce88db9, entitled +"[TCP]: Fix size calculation in sk_stream_alloc_pskb", has triggered a +bug in the 5701 where the 5701 DMA engine will corrupt outgoing +packets. This problem only happens when the starting address of the +packet matches a certain range of offsets and only when the 5701 is +placed downstream of a particular Intel bridge. + +This patch detects the problematic bridge and if present, readjusts the +starting address of the packet data to a dword aligned boundary. + +Signed-off-by: Matt Carlson +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++---- + drivers/net/tg3.h | 1 + + 2 files changed, 49 insertions(+), 4 deletions(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -64,8 +64,8 @@ + + #define DRV_MODULE_NAME "tg3" + #define PFX DRV_MODULE_NAME ": " +-#define DRV_MODULE_VERSION "3.90" +-#define DRV_MODULE_RELDATE "April 12, 2008" ++#define DRV_MODULE_VERSION "3.91" ++#define DRV_MODULE_RELDATE "April 18, 2008" + + #define TG3_DEF_MAC_MODE 0 + #define TG3_DEF_RX_MODE 0 +@@ -4135,11 +4135,21 @@ static int tigon3_dma_hwbug_workaround(s + u32 last_plus_one, u32 *start, + u32 base_flags, u32 mss) + { +- struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC); ++ struct sk_buff *new_skb; + dma_addr_t new_addr = 0; + u32 entry = *start; + int i, ret = 0; + ++ if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5701) ++ new_skb = skb_copy(skb, GFP_ATOMIC); ++ else { ++ int more_headroom = 4 - ((unsigned long)skb->data & 3); ++ ++ new_skb = skb_copy_expand(skb, ++ skb_headroom(skb) + more_headroom, ++ skb_tailroom(skb), GFP_ATOMIC); ++ } ++ + if (!new_skb) { + ret = -1; + } else { +@@ -4462,7 +4472,9 @@ static int tg3_start_xmit_dma_bug(struct + + would_hit_hwbug = 0; + +- if (tg3_4g_overflow_test(mapping, len)) ++ if (tp->tg3_flags3 & TG3_FLG3_5701_DMA_BUG) ++ would_hit_hwbug = 1; ++ else if (tg3_4g_overflow_test(mapping, len)) + would_hit_hwbug = 1; + + tg3_set_txd(tp, entry, mapping, len, base_flags, +@@ -11339,6 +11351,38 @@ static int __devinit tg3_get_invariants( + } + } + ++ if ((GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5701)) { ++ static struct tg3_dev_id { ++ u32 vendor; ++ u32 device; ++ } bridge_chipsets[] = { ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_0 }, ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_1 }, ++ { }, ++ }; ++ struct tg3_dev_id *pci_id = &bridge_chipsets[0]; ++ struct pci_dev *bridge = NULL; ++ ++ while (pci_id->vendor != 0) { ++ bridge = pci_get_device(pci_id->vendor, ++ pci_id->device, ++ bridge); ++ if (!bridge) { ++ pci_id++; ++ continue; ++ } ++ if (bridge->subordinate && ++ (bridge->subordinate->number <= ++ tp->pdev->bus->number) && ++ (bridge->subordinate->subordinate >= ++ tp->pdev->bus->number)) { ++ tp->tg3_flags3 |= TG3_FLG3_5701_DMA_BUG; ++ pci_dev_put(bridge); ++ break; ++ } ++ } ++ } ++ + /* The EPB bridge inside 5714, 5715, and 5780 cannot support + * DMA addresses > 40-bit. This bridge may have other additional + * 57xx devices behind it in some 4-port NIC designs for example. +--- a/drivers/net/tg3.h ++++ b/drivers/net/tg3.h +@@ -2476,6 +2476,7 @@ struct tg3 { + #define TG3_FLG3_NO_NVRAM_ADDR_TRANS 0x00000001 + #define TG3_FLG3_ENABLE_APE 0x00000002 + #define TG3_FLG3_5761_5784_AX_FIXES 0x00000004 ++#define TG3_FLG3_5701_DMA_BUG 0x00000008 + + struct timer_list timer; + u16 timer_counter; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.665498328@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tom Quetchenbach , + "David S. Miller" +Subject: [05/37] tcp: tcp_probe buffer overflow and incorrect return value +Content-Disposition: inline; filename=tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch +Content-Length: 1770 +Lines: 60 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Tom Quetchenbach + +[ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ] + +tcp_probe has a bounds-checking bug that causes many programs (less, +python) to crash reading /proc/net/tcp_probe. When it outputs a log +line to the reader, it only checks if that line alone will fit in the +reader's buffer, rather than that line and all the previous lines it +has already written. + +tcpprobe_read also returns the wrong value if copy_to_user fails--it +just passes on the return value of copy_to_user (number of bytes not +copied), which makes a failure look like a success. + +This patch fixes the buffer overflow and sets the return value to +-EFAULT if copy_to_user fails. + +Patch is against latest net-2.6; tested briefly and seems to fix the +crashes in less and python. + +Signed-off-by: Tom Quetchenbach +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_probe.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_probe.c ++++ b/net/ipv4/tcp_probe.c +@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file + + width = tcpprobe_sprint(tbuf, sizeof(tbuf)); + +- if (width < len) ++ if (cnt + width < len) + tcp_probe.tail = (tcp_probe.tail + 1) % bufsize; + + spin_unlock_bh(&tcp_probe.lock); + + /* if record greater than space available + return partial buffer (so far) */ +- if (width >= len) ++ if (cnt + width >= len) + break; + +- error = copy_to_user(buf + cnt, tbuf, width); +- if (error) +- break; ++ if (copy_to_user(buf + cnt, tbuf, width)) ++ return -EFAULT; + cnt += width; + } + + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:53 2008 +Message-Id: <20080429171453.827856392@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + John Heffner , + "David S. Miller" +Subject: [06/37] TCP: Increase the max_burst threshold from 3 to tp->reordering. +Content-Disposition: inline; filename=tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch +Content-Length: 1450 +Lines: 43 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: John Heffner + +[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] + +This change is necessary to allow cwnd to grow during persistent +reordering. Cwnd moderation is applied when in the disorder state +and an ack that fills the hole comes in. If the hole was greater +than 3 packets, but less than tp->reordering, cwnd will shrink when +it should not have. + +Signed-off-by: John Heffner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/tcp.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -776,11 +776,14 @@ extern void tcp_enter_cwr(struct sock *s + extern __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst); + + /* Slow start with delack produces 3 packets of burst, so that +- * it is safe "de facto". ++ * it is safe "de facto". This will be the default - same as ++ * the default reordering threshold - but if reordering increases, ++ * we must be able to allow cwnd to burst at least this much in order ++ * to not pull it back when holes are filled. + */ + static __inline__ __u32 tcp_max_burst(const struct tcp_sock *tp) + { +- return 3; ++ return tp->reordering; + } + + /* Returns end sequence number of the receiver's advertised window */ + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171453.992596463@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Patrick McHardy , + "David S. Miller" +Subject: [07/37] RTNETLINK: Fix bogus ASSERT_RTNL warning +Content-Disposition: inline; filename=rtnetlink-fix-bogus-assert_rtnl-warning.patch +Content-Length: 2127 +Lines: 70 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Patrick McHardy + +[ Upstream commit: c9c1014b2bd014c7ec037bbb6f58818162fdb265 ] + +ASSERT_RTNL uses mutex_trylock to test whether the rtnl_mutex is +held. This bogus warnings when running in atomic context, which +f.e. happens when adding secondary unicast addresses through +macvlan or vlan or when synchronizing multicast addresses from +wireless devices. + +Mid-term we might want to consider moving all address updates +to process context since the locking seems overly complicated, +for now just fix the bogus warning by changing ASSERT_RTNL to +use mutex_is_locked(). + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/rtnetlink.h | 4 ++-- + net/core/rtnetlink.c | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/rtnetlink.h ++++ b/include/linux/rtnetlink.h +@@ -740,13 +740,13 @@ extern void rtmsg_ifinfo(int type, struc + extern void rtnl_lock(void); + extern void rtnl_unlock(void); + extern int rtnl_trylock(void); ++extern int rtnl_is_locked(void); + + extern void rtnetlink_init(void); + extern void __rtnl_unlock(void); + + #define ASSERT_RTNL() do { \ +- if (unlikely(rtnl_trylock())) { \ +- rtnl_unlock(); \ ++ if (unlikely(!rtnl_is_locked())) { \ + printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \ + __FILE__, __LINE__); \ + dump_stack(); \ +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -82,6 +82,11 @@ int rtnl_trylock(void) + return mutex_trylock(&rtnl_mutex); + } + ++int rtnl_is_locked(void) ++{ ++ return mutex_is_locked(&rtnl_mutex); ++} ++ + static struct rtnl_link *rtnl_msg_handlers[NPROTO]; + + static inline int rtm_msgindex(int msgtype) +@@ -1389,6 +1394,7 @@ EXPORT_SYMBOL(rtnetlink_put_metrics); + EXPORT_SYMBOL(rtnl_lock); + EXPORT_SYMBOL(rtnl_trylock); + EXPORT_SYMBOL(rtnl_unlock); ++EXPORT_SYMBOL(rtnl_is_locked); + EXPORT_SYMBOL(rtnl_unicast); + EXPORT_SYMBOL(rtnl_notify); + EXPORT_SYMBOL(rtnl_set_sk_err); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171454.155727462@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Bernard Pidoux , + "David S. Miller" +Subject: [08/37] rose: Socket lock was not released before returning to user space +Content-Disposition: inline; filename=rose-socket-lock-was-not-released-before-returning-to-user-space.patch +Content-Length: 1972 +Lines: 59 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Bernard Pidoux + +[ Upstream commit: 43837b1e6c5aef803d57009a68db18df13e64892 ] + +================================================ +[ BUG: lock held when returning to user space! ] +------------------------------------------------ +xfbbd/3683 is leaving the kernel with locks still held! +1 lock held by xfbbd/3683: + #0: (sk_lock-AF_ROSE){--..}, at: [] rose_connect+0x73/0x420 [rose] + +INFO: task xfbbd:3683 blocked for more than 120 seconds. +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +xfbbd D 00000246 0 3683 3669 + c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0 + c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001 + c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40 +Call Trace: + [] lock_sock_nested+0x6b/0xd0 + [] ? autoremove_wake_function+0x0/0x40 + [] sock_fasync+0x41/0x150 + [] sock_close+0x19/0x40 + [] __fput+0xb4/0x170 + [] fput+0x18/0x20 + [] filp_close+0x3e/0x70 + [] sys_close+0x69/0xb0 + [] sysenter_past_esp+0x5f/0xa5 + ======================= +INFO: lockdep is turned off. + +Signed-off-by: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rose/af_rose.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -760,8 +760,10 @@ static int rose_connect(struct socket *s + + rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause, + &diagnostic); +- if (!rose->neighbour) +- return -ENETUNREACH; ++ if (!rose->neighbour) { ++ err = -ENETUNREACH; ++ goto out_release; ++ } + + rose->lci = rose_new_lci(rose->neighbour); + if (!rose->lci) { + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171454.333490139@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Pavel Emelyanov , + "David S. Miller" +Subject: [09/37] net: Fix wrong interpretation of some copy_to_user() results. +Content-Disposition: inline; filename=net-fix-wrong-interpretation-of-some-copy_to_user-results.patch +Content-Length: 1798 +Lines: 61 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Pavel Emelyanov + +[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ] + +I found some places, that erroneously return the value obtained from +the copy_to_user() call: if some amount of bytes were not able to get +to the user (this is what this one returns) the proper behavior is to +return the -EFAULT error, not that number itself. + +Signed-off-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/raw.c | 3 ++- + net/dccp/probe.c | 2 +- + net/tipc/socket.c | 4 ++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket + int fsize = ro->count * sizeof(struct can_filter); + if (len > fsize) + len = fsize; +- err = copy_to_user(optval, ro->filter, len); ++ if (copy_to_user(optval, ro->filter, len)) ++ err = -EFAULT; + } else + len = 0; + release_sock(sk); +--- a/net/dccp/probe.c ++++ b/net/dccp/probe.c +@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil + goto out_free; + + cnt = kfifo_get(dccpw.fifo, tbuf, len); +- error = copy_to_user(buf, tbuf, cnt); ++ error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0; + + out_free: + vfree(tbuf); +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc + else if (len < sizeof(value)) { + res = -EINVAL; + } +- else if ((res = copy_to_user(ov, &value, sizeof(value)))) { +- /* couldn't return value */ ++ else if (copy_to_user(ov, &value, sizeof(value))) { ++ res = -EFAULT; + } + else { + res = put_user(sizeof(value), ol); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171454.501654040@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:32 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu , + "David S. Miller" +Subject: [10/37] IPSEC: Fix catch-22 with algorithm IDs above 31 +Content-Disposition: inline; filename=ipsec-fix-catch-22-with-algorithm-ids-above-31.patch +Content-Length: 2750 +Lines: 84 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Herbert Xu + +[ Upstream commit: c5d18e984a313adf5a1a4ae69e0b1d93cf410229 ] + +As it stands it's impossible to use any authentication algorithms +with an ID above 31 portably. It just happens to work on x86 but +fails miserably on ppc64. + +The reason is that we're using a bit mask to check the algorithm +ID but the mask is only 32 bits wide. + +After looking at how this is used in the field, I have concluded +that in the long term we should phase out state matching by IDs +because this is made superfluous by the reqid feature. For current +applications, the best solution IMHO is to allow all algorithms when +the bit masks are all ~0. + +The following patch does exactly that. + +This bug was identified by IBM when testing on the ppc64 platform +using the NULL authentication algorithm which has an ID of 251. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/xfrm.h | 3 +++ + net/key/af_key.c | 2 +- + net/xfrm/xfrm_policy.c | 2 +- + net/xfrm/xfrm_user.c | 2 ++ + 4 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -435,6 +435,9 @@ struct xfrm_tmpl + /* May skip this transfomration if no SA is found */ + __u8 optional; + ++/* Skip aalgos/ealgos/calgos checks. */ ++ __u8 allalgs; ++ + /* Bit mask of algos allowed for acquisition */ + __u32 aalgos; + __u32 ealgos; +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1856,7 +1856,7 @@ parse_ipsecrequest(struct xfrm_policy *x + t->encap_family = xp->family; + + /* No way to set this via kame pfkey */ +- t->aalgos = t->ealgos = t->calgos = ~0; ++ t->allalgs = 1; + xp->xfrm_nr++; + return 0; + } +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1772,7 +1772,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, st + (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && + (x->props.reqid == tmpl->reqid || !tmpl->reqid) && + x->props.mode == tmpl->mode && +- ((tmpl->aalgos & (1<props.aalgo)) || ++ (tmpl->allalgs || (tmpl->aalgos & (1<props.aalgo)) || + !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && + !(x->props.mode != XFRM_MODE_TRANSPORT && + xfrm_state_addr_cmp(tmpl, x, family)); +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -975,6 +975,8 @@ static void copy_templates(struct xfrm_p + t->aalgos = ut->aalgos; + t->ealgos = ut->ealgos; + t->calgos = ut->calgos; ++ /* If all masks are ~0, then we allow all algorithms. */ ++ t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); + t->encap_family = ut->family; + } + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171454.665345515@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:33 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + David Brownell +Subject: [11/37] USB: OHCI: fix bug in controller resume +Content-Disposition: inline; filename=usb-ohci-fix-bug-in-controller-resume.patch +Content-Length: 1195 +Lines: 42 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Alan Stern + +commit: 0d22f65515307c878ddd20b1305cce925ca9516c + +This patch (as1063) fixes a bug in the way ohci-hcd resumes its +controllers. It leaves the Master Interrupt Enable bit turned off. + +If the root hub is resumed immediately this won't matter. But if the +root hub is suspended (say because no devices are plugged in), it won't +ever wake up by itself. + +Signed-off-by: Alan Stern +CC: David Brownell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-pci.c ++++ b/drivers/usb/host/ohci-pci.c +@@ -312,11 +312,13 @@ static int ohci_pci_suspend (struct usb_ + + static int ohci_pci_resume (struct usb_hcd *hcd) + { ++ struct ohci_hcd *ohci = hcd_to_ohci(hcd); ++ + set_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags); + + /* FIXME: we should try to detect loss of VBUS power here */ + prepare_for_handover(hcd); +- ++ ohci_writel(ohci, OHCI_INTR_MIE, &ohci->regs->intrenable); + return 0; + } + + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:54 2008 +Message-Id: <20080429171454.830762698@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mikulas Patocka , + Milan Broz , + Alasdair G Kergon +Subject: [12/37] dm snapshot: fix chunksize sector conversion +Content-Disposition: inline; filename=dm-snapshot-fix-chunksize-sector-conversion.patch +Content-Length: 950 +Lines: 34 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Mikulas Patocka + +commit: 924362629bf5645aee5f49f8a0d0d5b193e65997 + +If a snapshot has a smaller chunksize than the page size the +conversion to pages currently returns 0 instead of 1, causing: +kernel BUG in mempool_resize. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Milan Broz +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-exception-store.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-exception-store.c ++++ b/drivers/md/dm-exception-store.c +@@ -131,7 +131,7 @@ struct pstore { + + static unsigned sectors_to_pages(unsigned sectors) + { +- return sectors / (PAGE_SIZE >> 9); ++ return DIV_ROUND_UP(sectors, PAGE_SIZE >> 9); + } + + static int alloc_area(struct pstore *ps) + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171454.999005659@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:35 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Li Zefan , + Paul Menage +Subject: [13/37] cgroup: fix a race condition in manipulating tsk->cg_list +Content-Disposition: inline; filename=cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch +Content-Length: 2474 +Lines: 80 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Li Zefan + +commit: 0e04388f0189fa1f6812a8e1cb6172136eada87e + +When I ran a test program to fork mass processes and at the same time +'cat /cgroup/tasks', I got the following oops: + + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:72! + invalid opcode: 0000 [#1] SMP + Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72) + ... + Call Trace: + [] ? cgroup_exit+0x55/0x94 + [] ? do_exit+0x217/0x5ba + [] ? do_group_exit+0.65/0x7c + [] ? sys_exit_group+0xf/0x11 + [] ? syscall_call+0x7/0xb + [] ? init_cyrix+0x2fa/0x479 + ... + EIP: [] list_del+0x35/0x53 SS:ESP 0068:ebc7df4 + ---[ end trace caffb7332252612b ]--- + Fixing recursive fault but reboot is needed! + +After digging into the code and debugging, I finlly found out a race +situation: + + do_exit() + ->cgroup_exit() + ->if (!list_empty(&tsk->cg_list)) + list_del(&tsk->cg_list); + + cgroup_iter_start() + ->cgroup_enable_task_cg_list() + ->list_add(&tsk->cg_list, ..); + +In this case the list won't be deleted though the process has exited. + +We got two bug reports in the past, which seem to be the same bug as +this one: + http://lkml.org/lkml/2008/3/5/332 + http://lkml.org/lkml/2007/10/17/224 + +Actually sometimes I got oops on list_del, sometimes oops on list_add. +And I can change my test program a bit to trigger other oops. + +The patch has been tested both on x86_32 and x86_64. + +Signed-off-by: Li Zefan +Acked-by: Paul Menage +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -1722,7 +1722,12 @@ void cgroup_enable_task_cg_lists(void) + use_task_css_set_links = 1; + do_each_thread(g, p) { + task_lock(p); +- if (list_empty(&p->cg_list)) ++ /* ++ * We should check if the process is exiting, otherwise ++ * it will race with cgroup_exit() in that the list ++ * entry won't be deleted though the process has exited. ++ */ ++ if (!(p->flags & PF_EXITING) && list_empty(&p->cg_list)) + list_add(&p->cg_list, &p->cgroups->tasks); + task_unlock(p); + } while_each_thread(g, p); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171455.160636956@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:36 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Roland Dreier +Subject: [14/37] RDMA/nes: Free IRQ before killing tasklet +Content-Disposition: inline; filename=rdma-nes-free-irq-before-killing-tasklet.patch +Content-Length: 1068 +Lines: 40 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Roland Dreier + +commit: 4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66 + +Move the free_irq() call in nes_remove() to before the tasklet_kill(); +otherwise there is a window after tasklet_kill() where a new interrupt +can be handled and reschedule the tasklet, leading to a use-after-free +crash. + +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/nes/nes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/nes/nes.c ++++ b/drivers/infiniband/hw/nes/nes.c +@@ -751,13 +751,13 @@ static void __devexit nes_remove(struct + + list_del(&nesdev->list); + nes_destroy_cqp(nesdev); ++ ++ free_irq(pcidev->irq, nesdev); + tasklet_kill(&nesdev->dpc_tasklet); + + /* Deallocate the Adapter Structure */ + nes_destroy_adapter(nesdev->nesadapter); + +- free_irq(pcidev->irq, nesdev); +- + if (nesdev->msi_enabled) { + pci_disable_msi(pcidev); + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171455.352921309@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:37 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox , + Hans Verkuil , + v4l-dvb maintainer list , + Mauro Carvalho Chehab +Subject: [15/37] V4L: Fix VIDIOCGAP corruption in ivtv +Content-Disposition: inline; filename=v4l-fix-vidiocgap-corruption-in-ivtv.patch +Content-Length: 1548 +Lines: 42 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Alan Cox + +(cherry picked from commit d2b213f7b76f187c4391079c7581d3a08b940133) + +Frank Bennett reported that ivtv was causing skype to crash. With help +from one of their developers he showed it was a kernel problem. +VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names +that are too long and does not truncate them so corrupts a few bytes of +the app data area. + +Possibly the names also want trimming but for now this should fix the +corruption case. + +Signed-off-by: Alan Cox +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/video/ivtv/ivtv-ioctl.c ++++ b/drivers/media/video/ivtv/ivtv-ioctl.c +@@ -741,7 +741,8 @@ int ivtv_v4l2_ioctls(struct ivtv *itv, s + + memset(vcap, 0, sizeof(*vcap)); + strcpy(vcap->driver, IVTV_DRIVER_NAME); /* driver name */ +- strcpy(vcap->card, itv->card_name); /* card type */ ++ strncpy(vcap->card, itv->card_name, ++ sizeof(vcap->card)-1); /* card type */ + strcpy(vcap->bus_info, pci_name(itv->dev)); /* bus info... */ + vcap->version = IVTV_DRIVER_VERSION; /* version */ + vcap->capabilities = itv->v4l2_cap; /* capabilities */ + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171455.514400422@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:38 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + v4l-dvb maintainer list , + Mauro Carvalho Chehab +Subject: [16/37] V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken +Content-Disposition: inline; filename=v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch +Content-Length: 2233 +Lines: 71 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Mauro Carvalho Chehab + +(cherry picked from commit 867e835f4db4eba6d49072382cc05fc210c4ed1c) + +Fix bugzilla #10462: "tea5761 autodetection code were broken" + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/tea5761.c | 15 ++++++++++----- + drivers/media/video/tuner-core.c | 6 +++--- + 2 files changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/media/video/tea5761.c ++++ b/drivers/media/video/tea5761.c +@@ -249,14 +249,19 @@ int tea5761_autodetection(struct i2c_ada + + if (16 != (rc = tuner_i2c_xfer_recv(&i2c, buffer, 16))) { + printk(KERN_WARNING "it is not a TEA5761. Received %i chars.\n", rc); +- return EINVAL; ++ return -EINVAL; + } + +- if (!((buffer[13] != 0x2b) || (buffer[14] != 0x57) || (buffer[15] != 0x061))) { +- printk(KERN_WARNING "Manufacturer ID= 0x%02x, Chip ID = %02x%02x. It is not a TEA5761\n",buffer[13],buffer[14],buffer[15]); +- return EINVAL; ++ if ((buffer[13] != 0x2b) || (buffer[14] != 0x57) || (buffer[15] != 0x061)) { ++ printk(KERN_WARNING "Manufacturer ID= 0x%02x, Chip ID = %02x%02x." ++ " It is not a TEA5761\n", ++ buffer[13], buffer[14], buffer[15]); ++ return -EINVAL; + } +- printk(KERN_WARNING "TEA5761 detected.\n"); ++ printk(KERN_WARNING "tea5761: TEA%02x%02x detected. " ++ "Manufacturer ID= 0x%02x\n", ++ buffer[14], buffer[15], buffer[13]); ++ + return 0; + } + +--- a/drivers/media/video/tuner-core.c ++++ b/drivers/media/video/tuner-core.c +@@ -1112,8 +1112,8 @@ static int tuner_probe(struct i2c_client + if (!no_autodetect) { + switch (client->addr) { + case 0x10: +- if (tea5761_autodetection(t->i2c->adapter, t->i2c->addr) +- != EINVAL) { ++ if (tea5761_autodetection(t->i2c->adapter, ++ t->i2c->addr) >= 0) { + t->type = TUNER_TEA5761; + t->mode_mask = T_RADIO; + t->mode = T_STANDBY; +@@ -1125,7 +1125,7 @@ static int tuner_probe(struct i2c_client + + goto register_client; + } +- break; ++ return -ENODEV; + case 0x42: + case 0x43: + case 0x4a: + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171455.682106303@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:39 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Steven Toth , + v4l-dvb maintainer list , + Mauro Carvalho Chehab +Subject: [17/37] V4L: cx88: enable radio GPIO correctly +Content-Disposition: inline; filename=v4l-cx88-enable-radio-gpio-correctly.patch +Content-Length: 1242 +Lines: 40 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Steven Toth + +(cherry picked from commit 6b92b3bd7ac91b7e255541f4be9bfd55b12dae41) + +This patch fixes an issue on the HVR1300, where GPIO is blown away due to +the radio input being undefined, breaking the functionality of the DVB +demodulator and MPEG2 encoder used on the cx8802 mpeg TS port. + +This is a minimal patch for 2.6.26 and the -stable series. This must be +fixed a better way for 2.6.27. + +Signed-off-by: Steven Toth +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Michael Krufky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx88/cx88-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/video/cx88/cx88-cards.c ++++ b/drivers/media/video/cx88/cx88-cards.c +@@ -1354,6 +1354,10 @@ static const struct cx88_board cx88_boar + }}, + /* fixme: Add radio support */ + .mpeg = CX88_MPEG_DVB | CX88_MPEG_BLACKBIRD, ++ .radio = { ++ .type = CX88_RADIO, ++ .gpio0 = 0xe780, ++ }, + }, + [CX88_BOARD_ADSTECH_PTV_390] = { + .name = "ADS Tech Instant Video PCI", + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:55 2008 +Message-Id: <20080429171455.846382001@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:40 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jeff@garzik.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + support@neterion.com, + Santosh Rastapur , + Ramkrishna Vepa , + Jeff Garzik +Subject: [18/37] S2io: Fix memory leak during free_tx_buffers +Content-Disposition: inline; filename=s2io-fix-memory-leak-during-free_tx_buffers.patch +Content-Length: 1068 +Lines: 32 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Sreenivasa Honnur + +commit b35b3b49fc6750806964048b31799c8782980ef9 upstream + +- Fix the memory leak during free_tx_buffers. + +Signed-off-by: Santosh Rastapur +Signed-off-by: Ramkrishna Vepa +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/s2io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/s2io.c ++++ b/drivers/net/s2io.c +@@ -2339,7 +2339,7 @@ static void free_tx_buffers(struct s2io_ + for (i = 0; i < config->tx_fifo_num; i++) { + unsigned long flags; + spin_lock_irqsave(&mac_control->fifos[i].tx_lock, flags); +- for (j = 0; j < config->tx_cfg[i].fifo_len - 1; j++) { ++ for (j = 0; j < config->tx_cfg[i].fifo_len; j++) { + txdp = (struct TxD *) \ + mac_control->fifos[i].list_info[j].list_virt_addr; + skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:56 2008 +Message-Id: <20080429171456.009820930@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:41 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jeff@garzik.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + support@neterion.com, + Santosh Rastapur , + Ramkrishna Vepa , + Jeff Garzik +Subject: [19/37] S2io: Version update for memory leak fix during free_tx_buffers +Content-Disposition: inline; filename=s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch +Content-Length: 810 +Lines: 32 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Sreenivasa Honnur + +commit 10371b5e6ba22173425877ea6a7040619b005fa1 upstream + +- Updated version number. + +Signed-off-by: Santosh Rastapur +Signed-off-by: Ramkrishna Vepa +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/s2io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/s2io.c ++++ b/drivers/net/s2io.c +@@ -84,7 +84,7 @@ + #include "s2io.h" + #include "s2io-regs.h" + +-#define DRV_VERSION "2.0.26.20" ++#define DRV_VERSION "2.0.26.22" + + /* S2io Driver name & version. */ + static char s2io_driver_name[] = "Neterion"; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:56 2008 +Message-Id: <20080429171456.177192062@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:42 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + selinux@tycho.nsa.gov +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + sds@tycho.nsa.gov, + jmorris@namei.org, + Eric Paris +Subject: [20/37] SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts +Content-Disposition: inline; filename=selinux-no-bug_on-in-selinux_clone_mnt_opts.patch +Content-Length: 1701 +Lines: 49 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Eric Paris + +commit 0f5e64200f20fc8f5b759c4010082f577ab0af3f upstream + +The Fedora installer actually makes multiple NFS mounts before it loads +selinux policy. The code in selinux_clone_mnt_opts() assumed that the +init process would always be loading policy before NFS was up and +running. It might be possible to hit this in a diskless environment as +well, I'm not sure. There is no need to BUG_ON() in this situation +since we can safely continue given the circumstances. + +Signed-off-by: Eric Paris +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -756,9 +756,18 @@ static void selinux_sb_clone_mnt_opts(co + int set_context = (oldsbsec->flags & CONTEXT_MNT); + int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); + +- /* we can't error, we can't save the info, this shouldn't get called +- * this early in the boot process. */ +- BUG_ON(!ss_initialized); ++ /* ++ * if the parent was able to be mounted it clearly had no special lsm ++ * mount options. thus we can safely put this sb on the list and deal ++ * with it later ++ */ ++ if (!ss_initialized) { ++ spin_lock(&sb_security_lock); ++ if (list_empty(&newsbsec->list)) ++ list_add(&newsbsec->list, &superblock_security_head); ++ spin_unlock(&sb_security_lock); ++ return; ++ } + + /* how can we clone if the old one wasn't set up?? */ + BUG_ON(!oldsbsec->initialized); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:56 2008 +Message-Id: <20080429171456.352309920@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:43 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + =?ISO-8859-15?q?Bj=C3=B6rn=20Steinbrink?= , + Ingo Molnar +Subject: [21/37] x86, pci: fix off-by-one errors in some pirq warnings +Content-Disposition: inline; filename=x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch +Content-Length: 2240 +Lines: 80 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Björn Steinbrink + +commit 223ac2f42d49dd0324ca02ea15897ead1a2f5133 upstream. + +fix bogus pirq warnings reported in: + + http://bugzilla.kernel.org/show_bug.cgi?id=10366 + +safe to be backported to v2.6.25 and earlier. + +Signed-off-by: Björn Steinbrink +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/irq.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/pci/irq.c ++++ b/arch/x86/pci/irq.c +@@ -200,7 +200,7 @@ static int pirq_ali_get(struct pci_dev * + { + static const unsigned char irqmap[16] = { 0, 9, 3, 10, 4, 5, 7, 6, 1, 11, 0, 12, 0, 14, 0, 15 }; + +- WARN_ON_ONCE(pirq >= 16); ++ WARN_ON_ONCE(pirq > 16); + return irqmap[read_config_nybble(router, 0x48, pirq-1)]; + } + +@@ -209,7 +209,7 @@ static int pirq_ali_set(struct pci_dev * + static const unsigned char irqmap[16] = { 0, 8, 0, 2, 4, 5, 7, 6, 0, 1, 3, 9, 11, 0, 13, 15 }; + unsigned int val = irqmap[irq]; + +- WARN_ON_ONCE(pirq >= 16); ++ WARN_ON_ONCE(pirq > 16); + if (val) { + write_config_nybble(router, 0x48, pirq-1, val); + return 1; +@@ -260,7 +260,7 @@ static int pirq_via586_get(struct pci_de + { + static const unsigned int pirqmap[5] = { 3, 2, 5, 1, 1 }; + +- WARN_ON_ONCE(pirq >= 5); ++ WARN_ON_ONCE(pirq > 5); + return read_config_nybble(router, 0x55, pirqmap[pirq-1]); + } + +@@ -268,7 +268,7 @@ static int pirq_via586_set(struct pci_de + { + static const unsigned int pirqmap[5] = { 3, 2, 5, 1, 1 }; + +- WARN_ON_ONCE(pirq >= 5); ++ WARN_ON_ONCE(pirq > 5); + write_config_nybble(router, 0x55, pirqmap[pirq-1], irq); + return 1; + } +@@ -282,7 +282,7 @@ static int pirq_ite_get(struct pci_dev * + { + static const unsigned char pirqmap[4] = { 1, 0, 2, 3 }; + +- WARN_ON_ONCE(pirq >= 4); ++ WARN_ON_ONCE(pirq > 4); + return read_config_nybble(router,0x43, pirqmap[pirq-1]); + } + +@@ -290,7 +290,7 @@ static int pirq_ite_set(struct pci_dev * + { + static const unsigned char pirqmap[4] = { 1, 0, 2, 3 }; + +- WARN_ON_ONCE(pirq >= 4); ++ WARN_ON_ONCE(pirq > 4); + write_config_nybble(router, 0x43, pirqmap[pirq-1], irq); + return 1; + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:56 2008 +Message-Id: <20080429171456.518455268@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:44 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-wireless@vger.kernel.org, + bcm43xx-dev@lists.berlios.de, + Larry Finger , + Gabor Stefanik , + Michael Buesch , + "John W. Linville" +Subject: [22/37] ssb: Fix all-ones boardflags +Content-Disposition: inline; filename=ssb-fix-all-ones-boardflags.patch +Content-Length: 1152 +Lines: 42 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Larry Finger + +commit 4503183aa32e6886400d82282292934fa64a81b0 upstream + +In the SSB SPROM a field set to all ones means the value +is not defined in the SPROM. +In case of the boardflags, we need to set them to zero +to avoid confusing drivers. Drivers will only check the +flags by ANDing. + + +Signed-off-by: Larry Finger +Signed-off-by: Gabor Stefanik +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -482,6 +482,11 @@ static int sprom_extract(struct ssb_bus + goto unsupported; + } + ++ if (out->boardflags_lo == 0xFFFF) ++ out->boardflags_lo = 0; /* per specs */ ++ if (out->boardflags_hi == 0xFFFF) ++ out->boardflags_hi = 0; /* per specs */ ++ + return 0; + unsupported: + ssb_printk(KERN_WARNING PFX "Unsupported SPROM revision %d " + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:56 2008 +Message-Id: <20080429171456.686027124@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:45 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-wireless@vger.kernel.org, + bcm43xx-dev@lists.berlios.de, + Michael Buesch , + "John W. Linville" +Subject: [23/37] b43: Workaround invalid bluetooth settings +Content-Disposition: inline; filename=b43-workaround-invalid-bluetooth-settings.patch +Content-Length: 2979 +Lines: 91 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Michael Buesch + +commit 1855ba7812dbd294fcfc083dc7d3b14d3b1f38db upstream. + +This adds a workaround for invalid bluetooth SPROM settings +on ASUS PCI cards. +This will stop the microcode from poking with the BT GPIO line. +This fixes data transmission on this device, as the BT GPIO line +is used for something TX related on this device +(probably the power amplifier or the radio). +This also adds a modparam knob to help debugging this in the future, +as more devices with this bug may show up. + +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/wireless/b43/main.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -78,6 +78,11 @@ static int modparam_nohwcrypt; + module_param_named(nohwcrypt, modparam_nohwcrypt, int, 0444); + MODULE_PARM_DESC(nohwcrypt, "Disable hardware encryption."); + ++static int modparam_btcoex = 1; ++module_param_named(btcoex, modparam_btcoex, int, 0444); ++MODULE_PARM_DESC(btcoex, "Enable Bluetooth coexistance (default on)"); ++ ++ + static const struct ssb_device_id b43_ssb_tbl[] = { + SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 5), + SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 6), +@@ -3339,6 +3344,8 @@ static void b43_bluetooth_coext_enable(s + struct ssb_sprom *sprom = &dev->dev->bus->sprom; + u32 hf; + ++ if (!modparam_btcoex) ++ return; + if (!(sprom->boardflags_lo & B43_BFL_BTCOEXIST)) + return; + if (dev->phy.type != B43_PHYTYPE_B && !dev->phy.gmode) +@@ -3350,11 +3357,13 @@ static void b43_bluetooth_coext_enable(s + else + hf |= B43_HF_BTCOEX; + b43_hf_write(dev, hf); +- //TODO + } + + static void b43_bluetooth_coext_disable(struct b43_wldev *dev) +-{ //TODO ++{ ++ if (!modparam_btcoex) ++ return; ++ //TODO + } + + static void b43_imcfglo_timeouts_workaround(struct b43_wldev *dev) +@@ -4002,6 +4011,8 @@ static int b43_one_core_attach(struct ss + + static void b43_sprom_fixup(struct ssb_bus *bus) + { ++ struct pci_dev *pdev; ++ + /* boardflags workarounds */ + if (bus->boardinfo.vendor == SSB_BOARDVENDOR_DELL && + bus->chip_id == 0x4301 && bus->boardinfo.rev == 0x74) +@@ -4009,6 +4020,14 @@ static void b43_sprom_fixup(struct ssb_b + if (bus->boardinfo.vendor == PCI_VENDOR_ID_APPLE && + bus->boardinfo.type == 0x4E && bus->boardinfo.rev > 0x40) + bus->sprom.boardflags_lo |= B43_BFL_PACTRL; ++ if (bus->bustype == SSB_BUSTYPE_PCI) { ++ pdev = bus->host_pci; ++ if (pdev->vendor == PCI_VENDOR_ID_BROADCOM && ++ pdev->device == 0x4318 && ++ pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK && ++ pdev->subsystem_device == 0x100F) ++ bus->sprom.boardflags_lo &= ~B43_BFL_BTCOEXIST; ++ } + } + + static void b43_wireless_exit(struct ssb_device *dev, struct b43_wl *wl) + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171456.849124388@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-wireless@vger.kernel.org, + bcm43xx-dev@lists.berlios.de, + Michael Buesch , + "John W. Linville" +Subject: [24/37] b43: Add more btcoexist workarounds +Content-Disposition: inline; filename=b43-add-more-btcoexist-workarounds.patch +Content-Length: 1618 +Lines: 49 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Michael Buesch + +commit 9fc38458355525f801cd2ab403ac89850489a05e upstream + +This adds more workarounds for devices with broken BT bits. + +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -4009,6 +4009,12 @@ static int b43_one_core_attach(struct ss + return err; + } + ++#define IS_PDEV(pdev, _vendor, _device, _subvendor, _subdevice) ( \ ++ (pdev->vendor == PCI_VENDOR_ID_##_vendor) && \ ++ (pdev->device == _device) && \ ++ (pdev->subsystem_vendor == PCI_VENDOR_ID_##_subvendor) && \ ++ (pdev->subsystem_device == _subdevice) ) ++ + static void b43_sprom_fixup(struct ssb_bus *bus) + { + struct pci_dev *pdev; +@@ -4022,10 +4028,9 @@ static void b43_sprom_fixup(struct ssb_b + bus->sprom.boardflags_lo |= B43_BFL_PACTRL; + if (bus->bustype == SSB_BUSTYPE_PCI) { + pdev = bus->host_pci; +- if (pdev->vendor == PCI_VENDOR_ID_BROADCOM && +- pdev->device == 0x4318 && +- pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK && +- pdev->subsystem_device == 0x100F) ++ if (IS_PDEV(pdev, BROADCOM, 0x4318, ASUSTEK, 0x100F) || ++ IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0015) || ++ IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0013)) + bus->sprom.boardflags_lo &= ~B43_BFL_BTCOEXIST; + } + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171457.041357898@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-wireless@vger.kernel.org, + bcm43xx-dev@lists.berlios.de, + Michael Buesch , + "John W. Linville" +Subject: [25/37] b43: Workaround DMA quirks +Content-Disposition: inline; filename=b43-workaround-dma-quirks.patch +Content-Length: 3240 +Lines: 120 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Michael Buesch + +commit 1033b3ea11820ea1fb1b877207bd6724e9aaedc3 upstream + +Some mainboards/CPUs don't allow DMA masks bigger than a certain limit. +Some VIA crap^h^h^h^hdevices have an upper limit of 0xFFFFFFFF. So in this +case a 64-bit b43 device would always fail to acquire the mask. +Implement a workaround to fallback to lower DMA mask, as we can always +also support a lower mask. + +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville + + +--- + drivers/net/wireless/b43/dma.c | 73 +++++++++++++++++++++++++++++------------ + 1 file changed, 52 insertions(+), 21 deletions(-) + +--- a/drivers/net/wireless/b43/dma.c ++++ b/drivers/net/wireless/b43/dma.c +@@ -822,6 +822,18 @@ static u64 supported_dma_mask(struct b43 + return DMA_30BIT_MASK; + } + ++static enum b43_dmatype dma_mask_to_engine_type(u64 dmamask) ++{ ++ if (dmamask == DMA_30BIT_MASK) ++ return B43_DMA_30BIT; ++ if (dmamask == DMA_32BIT_MASK) ++ return B43_DMA_32BIT; ++ if (dmamask == DMA_64BIT_MASK) ++ return B43_DMA_64BIT; ++ B43_WARN_ON(1); ++ return B43_DMA_30BIT; ++} ++ + /* Main initialization function. */ + static + struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev, +@@ -982,6 +994,42 @@ void b43_dma_free(struct b43_wldev *dev) + dma->tx_ring0 = NULL; + } + ++static int b43_dma_set_mask(struct b43_wldev *dev, u64 mask) ++{ ++ u64 orig_mask = mask; ++ bool fallback = 0; ++ int err; ++ ++ /* Try to set the DMA mask. If it fails, try falling back to a ++ * lower mask, as we can always also support a lower one. */ ++ while (1) { ++ err = ssb_dma_set_mask(dev->dev, mask); ++ if (!err) ++ break; ++ if (mask == DMA_64BIT_MASK) { ++ mask = DMA_32BIT_MASK; ++ fallback = 1; ++ continue; ++ } ++ if (mask == DMA_32BIT_MASK) { ++ mask = DMA_30BIT_MASK; ++ fallback = 1; ++ continue; ++ } ++ b43err(dev->wl, "The machine/kernel does not support " ++ "the required %u-bit DMA mask\n", ++ (unsigned int)dma_mask_to_engine_type(orig_mask)); ++ return -EOPNOTSUPP; ++ } ++ if (fallback) { ++ b43info(dev->wl, "DMA mask fallback from %u-bit to %u-bit\n", ++ (unsigned int)dma_mask_to_engine_type(orig_mask), ++ (unsigned int)dma_mask_to_engine_type(mask)); ++ } ++ ++ return 0; ++} ++ + int b43_dma_init(struct b43_wldev *dev) + { + struct b43_dma *dma = &dev->dma; +@@ -991,27 +1039,10 @@ int b43_dma_init(struct b43_wldev *dev) + enum b43_dmatype type; + + dmamask = supported_dma_mask(dev); +- switch (dmamask) { +- default: +- B43_WARN_ON(1); +- case DMA_30BIT_MASK: +- type = B43_DMA_30BIT; +- break; +- case DMA_32BIT_MASK: +- type = B43_DMA_32BIT; +- break; +- case DMA_64BIT_MASK: +- type = B43_DMA_64BIT; +- break; +- } +- err = ssb_dma_set_mask(dev->dev, dmamask); +- if (err) { +- b43err(dev->wl, "The machine/kernel does not support " +- "the required DMA mask (0x%08X%08X)\n", +- (unsigned int)((dmamask & 0xFFFFFFFF00000000ULL) >> 32), +- (unsigned int)(dmamask & 0x00000000FFFFFFFFULL)); +- return -EOPNOTSUPP; +- } ++ type = dma_mask_to_engine_type(dmamask); ++ err = b43_dma_set_mask(dev, dmamask); ++ if (err) ++ return err; + + err = -ENOMEM; + /* setup TX DMA channels. */ + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171457.201819633@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Francois Romieu , + Jeff Garzik +Subject: [26/37] tehuti: check register size (CVE-2008-1675) +Content-Disposition: inline; filename=tehuti-check-register-size.patch +Content-Length: 1515 +Lines: 56 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Francois Romieu + +commit 6131a2601f42cd7fdbac0e960713396fe68af59f upstream + + +Signed-off-by: Francois Romieu +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tehuti.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/tehuti.c ++++ b/drivers/net/tehuti.c +@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes + s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]); + } + ++static int bdx_range_check(struct bdx_priv *priv, u32 offset) ++{ ++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ? ++ -EINVAL : 0; ++} ++ + static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) + { + struct bdx_priv *priv = ndev->priv; +@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev + switch (data[0]) { + + case BDX_OP_READ: ++ error = bdx_range_check(priv, data[1]); ++ if (error < 0) ++ return error; + data[2] = READ_REG(priv, data[1]); + DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2], + data[2]); +@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev + break; + + case BDX_OP_WRITE: ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ error = bdx_range_check(priv, data[1]); ++ if (error < 0) ++ return error; + WRITE_REG(priv, data[1], data[2]); + DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]); + break; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171457.367678702@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Garzik +Subject: [27/37] tehuti: move ioctl perm check closer to function start (CVE-2008-1675) +Content-Disposition: inline; filename=tehuti-move-ioctl-perm-check-closer-to-function-start.patch +Content-Length: 899 +Lines: 40 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jeff Garzik + +Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream + +Noticed by davem. + +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tehuti.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/tehuti.c ++++ b/drivers/net/tehuti.c +@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev + DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]); + } + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + switch (data[0]) { + + case BDX_OP_READ: +@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev + break; + + case BDX_OP_WRITE: +- if (!capable(CAP_NET_ADMIN)) +- return -EPERM; + error = bdx_range_check(priv, data[1]); + if (error < 0) + return error; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171457.532455650@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Moyer , + Zach Brown , + Christopher Smith , + Benjamin LaHaise +Subject: [28/37] aio: io_getevents() should return if io_destroy() is invoked +Content-Disposition: inline; filename=aio-io_getevents-should-return-if-io_destroy-is-invoked.patch +Content-Length: 1696 +Lines: 56 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Jeff Moyer + +commit e92adcba261fd391591bb63c1703185a04a41554 upstream + +This patch wakes up a thread waiting in io_getevents if another thread +destroys the context. This was tested using a small program that spawns a +thread to wait in io_getevents while the parent thread destroys the io context +and then waits for the getevents thread to exit. Without this patch, the +program hangs indefinitely. With the patch, the program exits as expected. + +Signed-off-by: Jeff Moyer +Cc: Zach Brown +Cc: Christopher Smith +Cc: Benjamin LaHaise +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1166,7 +1166,10 @@ retry: + break; + if (min_nr <= i) + break; +- ret = 0; ++ if (unlikely(ctx->dead)) { ++ ret = -EINVAL; ++ break; ++ } + if (to.timed_out) /* Only check after read evt */ + break; + /* Try to only show up in io wait if there are ops +@@ -1231,6 +1234,13 @@ static void io_destroy(struct kioctx *io + + aio_cancel_all(ioctx); + wait_for_all_aios(ioctx); ++ ++ /* ++ * Wake up any waiters. The setting of ctx->dead must be seen ++ * by other CPUs at this point. Right now, we rely on the ++ * locking done by the above calls to ensure this consistency. ++ */ ++ wake_up(&ioctx->wait); + put_ioctx(ioctx); /* once for the lookup */ + } + + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:57 2008 +Message-Id: <20080429171457.700220688@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Brownell , + Adrian Bunk , + Alessandro Zummo +Subject: [29/37] rtc-pcf8583 build fix +Content-Disposition: inline; filename=rtc-pcf8583-build-fix.patch +Content-Length: 1054 +Lines: 36 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: David Brownell + +commit 77459b059b02c16b2c8cbc39b524941a576ad36e upstream + + +Fix bogus #include in rtc-pcf8583, so it compiles on platforms that +don't support PC clone RTCs. (Original issue noted by Adrian Bunk.) + +Signed-off-by: David Brownell +Cc: Adrian Bunk +Acked-by: Alessandro Zummo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-pcf8583.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-pcf8583.c ++++ b/drivers/rtc/rtc-pcf8583.c +@@ -15,7 +15,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171457.864018042@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Roel Kluin <12o3l@tiscali.nl>, + "Maciej W. Rozycki" , + Johannes Weiner +Subject: [30/37] dz: test after postfix decrement fails in dz_console_putchar() +Content-Disposition: inline; filename=dz-test-after-postfix-decrement-fails-in-dz_console_putchar.patch +Content-Length: 970 +Lines: 35 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Roel Kluin <12o3l@tiscali.nl> + +commit 1ecf0d0cd28a4bfed3009f752061998e52d14db2 upstream + +When loops reaches 0 the postfix decrement still subtracts, so the subsequent +test fails. + +Signed-off-by: Roel Kluin <12o3l@tiscali.nl> +Acked-by: Maciej W. Rozycki +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/dz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/dz.c ++++ b/drivers/serial/dz.c +@@ -819,7 +819,7 @@ static void dz_console_putchar(struct ua + dz_out(dport, DZ_TCR, mask); + iob(); + udelay(2); +- } while (loops--); ++ } while (--loops); + + if (loops) /* Cannot send otherwise. */ + dz_out(dport, DZ_TDR, ch); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171458.028652164@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Johannes Weiner , + Roel Kluin <12o3l@tiscali.nl>, + Andreas Schwab , + Matt Mackall , + Mikael Pettersson +Subject: [31/37] mm: fix possible off-by-one in walk_pte_range() +Content-Disposition: inline; filename=mm-fix-possible-off-by-one-in-walk_pte_range.patch +Content-Length: 1280 +Lines: 49 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Johannes Weiner + +commit 556637cdabcd5918c7d4a1a2679b8f86fc81e891 upstream + + +After the loop in walk_pte_range() pte might point to the first address after +the pmd it walks. The pte_unmap() is then applied to something bad. + +Spotted by Roel Kluin and Andreas Schwab. + +Signed-off-by: Johannes Weiner +Cc: Roel Kluin <12o3l@tiscali.nl> +Cc: Andreas Schwab +Acked-by: Matt Mackall +Acked-by: Mikael Pettersson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/pagewalk.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, un + int err = 0; + + pte = pte_offset_map(pmd, addr); +- do { ++ for (;;) { + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private); + if (err) + break; +- } while (pte++, addr += PAGE_SIZE, addr != end); ++ addr += PAGE_SIZE; ++ if (addr == end) ++ break; ++ pte++; ++ } + + pte_unmap(pte); + return err; + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171458.194566407@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Bodo Stroesser , + Thomas Gleixner +Subject: [32/37] hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ +Content-Disposition: inline; filename=hrtimer-timeout-too-long-when-using-hrtimer_cb_softirq.patch +Content-Length: 1758 +Lines: 55 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Bodo Stroesser + +commit d7b41a24bfb5d7fa02f7b49be1293d468814e424 upstream + +When using hrtimer with timer->cb_mode == HRTIMER_CB_SOFTIRQ +in some cases the clockevent is not programmed. +This happens, if: + - a timer is rearmed while it's state is HRTIMER_STATE_CALLBACK + - hrtimer_reprogram() returns -ETIME, when it is called after + CALLBACK is finished. This occurs if the new timer->expires + is in the past when CALLBACK is done. +In this case, the timer needs to be removed from the tree and put +onto the pending list again. + +The patch is against 2.6.22.5, but AFAICS, it is relevant +for 2.6.25 also (in run_hrtimer_pending()). + +Signed-off-by: Bodo Stroesser +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -1080,8 +1080,19 @@ static void run_hrtimer_pending(struct h + * If the timer was rearmed on another CPU, reprogram + * the event device. + */ +- if (timer->base->first == &timer->node) +- hrtimer_reprogram(timer, timer->base); ++ struct hrtimer_clock_base *base = timer->base; ++ ++ if (base->first == &timer->node && ++ hrtimer_reprogram(timer, base)) { ++ /* ++ * Timer is expired. Thus move it from tree to ++ * pending list again. ++ */ ++ __remove_hrtimer(timer, base, ++ HRTIMER_STATE_PENDING, 0); ++ list_add_tail(&timer->cb_entry, ++ &base->cpu_base->cb_pending); ++ } + } + } + spin_unlock_irq(&cpu_base->lock); + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171458.360140733@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Chien Tung , + Roland Dreier +Subject: [33/37] RDMA/nes: Fix adapter reset after PXE boot +Content-Disposition: inline; filename=rdma-nes-fix-adapter-reset-after-pxe-boot.patch +Content-Length: 2476 +Lines: 80 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Chien Tung + +commit: bc5698f3ecc9587e1edb343a2878f8d228c49e0e upstream + +After PXE boot, the iw_nes driver does a full reset to ensure the card +is in a clean state. However, it doesn't wait for firmware to +complete its work before issuing a port reset to enable the ports, +which leads to problems bringing up the ports. + +The solution is to wait for firmware to complete its work before +proceeding with port reset. + +This bug was flagged by Roland Dreier . + +Signed-off-by: Chien Tung +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/nes/nes_cm.c | 6 ++++-- + drivers/infiniband/hw/nes/nes_hw.c | 20 +++++++++----------- + 2 files changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/hw/nes/nes_cm.c ++++ b/drivers/infiniband/hw/nes/nes_cm.c +@@ -1834,8 +1834,10 @@ int mini_cm_recv_pkt(struct nes_cm_core + nfo.rem_addr = ntohl(iph->saddr); + nfo.rem_port = ntohs(tcph->source); + +- nes_debug(NES_DBG_CM, "Received packet: dest=0x%08X:0x%04X src=0x%08X:0x%04X\n", +- iph->daddr, tcph->dest, iph->saddr, tcph->source); ++ nes_debug(NES_DBG_CM, "Received packet: dest=" NIPQUAD_FMT ++ ":0x%04X src=" NIPQUAD_FMT ":0x%04X\n", ++ NIPQUAD(iph->daddr), tcph->dest, ++ NIPQUAD(iph->saddr), tcph->source); + + /* note: this call is going to increment cm_node ref count */ + cm_node = find_node(cm_core, +--- a/drivers/infiniband/hw/nes/nes_hw.c ++++ b/drivers/infiniband/hw/nes/nes_hw.c +@@ -625,6 +625,15 @@ unsigned int nes_reset_adapter_ne020(str + nes_debug(NES_DBG_INIT, "Did not see full soft reset done.\n"); + return 0; + } ++ ++ i = 0; ++ while ((nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS) != 0x80) && i++ < 10000) ++ mdelay(1); ++ if (i >= 10000) { ++ printk(KERN_ERR PFX "Internal CPU not ready, status = %02X\n", ++ nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS)); ++ return 0; ++ } + } + + /* port reset */ +@@ -673,17 +682,6 @@ unsigned int nes_reset_adapter_ne020(str + } + } + +- +- +- i = 0; +- while ((nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS) != 0x80) && i++ < 10000) +- mdelay(1); +- if (i >= 10000) { +- printk(KERN_ERR PFX "Internal CPU not ready, status = %02X\n", +- nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS)); +- return 0; +- } +- + return port_count; + } + + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171458.524708227@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Andrew Vasquez , + James Bottomley +Subject: [34/37] SCSI: qla2xxx: Correct regression in relogin code. +Content-Disposition: inline; filename=scsi-qla2xxx-correct-regression-in-relogin-code.patch +Content-Length: 1166 +Lines: 37 + + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Andrew Vasquez + +commit: 666301e673e192c87a40e07a8357d6996b57b70f upstream + + +Commit 63a8651f2548c6bb5132c0b4e7dad4f57a9274db ([SCSI] qla2xxx: +Correct infinite-login-retry issue.) introduced a small +regression where a successful relogin would result in an fcport's +loop_id to be incorrectly reset to FC_NO_LOOP_ID. Only clear-out +loopid, if retries have been 'truly' exhausted. + +Signed-off-by: Andrew Vasquez +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2357,7 +2357,7 @@ qla2x00_do_dpc(void *data) + } else { + fcport->login_retry = 0; + } +- if (fcport->login_retry == 0) ++ if (fcport->login_retry == 0 && status != QLA_SUCCESS) + fcport->loop_id = FC_NO_LOOP_ID; + } + if (test_bit(LOOP_RESYNC_NEEDED, &ha->dpc_flags)) + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:58 2008 +Message-Id: <20080429171458.687944337@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ivan Kokshaysky +Subject: [35/37] alpha: unbreak OSF/1 (a.out) binaries +Content-Disposition: inline; filename=alpha-unbreak-osf-1-binaries.patch +Content-Length: 1161 +Lines: 41 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Ivan Kokshaysky + +commit 2444e56b0c08e6f3e3877583841a1213e3263d98 upstream + + +OSF/1 brk(2) was broken by following one-liner in sys_brk() +(commit 4cc6028d4040f95cdb590a87db478b42b8be0508): + +- if (brk < mm->end_code) ++ if (brk < mm->start_brk) + goto out; + +The problem is that osf_set_program_attributes() +does update mm->end_code, but not mm->start_brk, +which still contains inappropriate value left from +binary loader, so brk() always fails. + +Signed-off-by: Ivan Kokshaysky +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -75,6 +75,7 @@ osf_set_program_attributes(unsigned long + lock_kernel(); + mm = current->mm; + mm->end_code = bss_start + bss_len; ++ mm->start_brk = bss_start + bss_len; + mm->brk = bss_start + bss_len; + #if 0 + printk("set_program_attributes(%lx %lx %lx %lx)\n", + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:59 2008 +Message-Id: <20080429171458.851768021@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + netdev@vger.kernel.org, + Peter P Waskiewicz Jr +Subject: [36/37] x86: Fix 32-bit x86 MSI-X allocation leakage +Content-Disposition: inline; filename=x86-fix-32-bit-x86-msi-x-allocation-leakage.patch +Content-Length: 1339 +Lines: 39 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: PJ Waskiewicz + +commit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream + +This bug was introduced in the 2.6.24 i386/x86_64 tree merge, where +MSI-X vector allocation will eventually fail. The cause is the new +bit array tracking used vectors is not getting cleared properly on +IRQ destruction on the 32-bit APIC code. + +This can be seen easily using the ixgbe 10 GbE driver on multi-core +systems by simply loading and unloading the driver a few times. +Depending on the number of available vectors on the host system, the +MSI-X allocation will eventually fail, and the driver will only be +able to use legacy interrupts. + +Signed-off-by: Peter P Waskiewicz Jr +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/io_apic_32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/io_apic_32.c ++++ b/arch/x86/kernel/io_apic_32.c +@@ -2477,6 +2477,7 @@ void destroy_irq(unsigned int irq) + dynamic_irq_cleanup(irq); + + spin_lock_irqsave(&vector_lock, flags); ++ clear_bit(irq_vector[irq], used_vectors); + irq_vector[irq] = 0; + spin_unlock_irqrestore(&vector_lock, flags); + } + +-- + +From gregkh@mini.kroah.org Tue Apr 29 10:14:59 2008 +Message-Id: <20080429171459.023160265@mini.kroah.org> +References: <20080429171222.073929148@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Tue, 29 Apr 2008 10:12:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + jejb@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Gleixner , + Peter Zijlstra +Subject: [37/37] hrtimer: raise softirq unlocked to avoid circular lock dependency +Content-Disposition: inline; filename=hrtimer-raise-softirq-unlocked-to-avoid-circular-lock-dependency.patch +Content-Length: 2753 +Lines: 101 + +2.6.25-stable review patch. If anyone has any objections, please let us +know. + +------------------ +From: Thomas Gleixner + +commit 0c96c5979a522c3323c30a078a70120e29b5bdbc upstream + +The scheduler hrtimer bits in 2.6.25 introduced a circular lock +dependency in a rare code path: + +======================================================= +[ INFO: possible circular locking dependency detected ] +2.6.25-sched-devel.git-x86-latest.git #19 +------------------------------------------------------- +X/2980 is trying to acquire lock: + (&rq->rq_lock_key#2){++..}, at: [] task_rq_lock+0x56/0xa0 + +but task is already holding lock: + (&cpu_base->lock){++..}, at: [] lock_hrtimer_base+0x31/0x60 + +which lock already depends on the new lock. + +The scenario which leads to this is: + +posix-timer signal is delivered + -> posix-timer is rearmed + timer is already expired in hrtimer_enqueue() + -> softirq is raised + +To prevent this we need to move the raise of the softirq out of the +base->lock protected code path. + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -590,7 +590,6 @@ static inline int hrtimer_enqueue_reprog + list_add_tail(&timer->cb_entry, + &base->cpu_base->cb_pending); + timer->state = HRTIMER_STATE_PENDING; +- raise_softirq(HRTIMER_SOFTIRQ); + return 1; + default: + BUG(); +@@ -633,6 +632,11 @@ static int hrtimer_switch_to_hres(void) + return 1; + } + ++static inline void hrtimer_raise_softirq(void) ++{ ++ raise_softirq(HRTIMER_SOFTIRQ); ++} ++ + #else + + static inline int hrtimer_hres_active(void) { return 0; } +@@ -651,6 +655,7 @@ static inline int hrtimer_reprogram(stru + { + return 0; + } ++static inline void hrtimer_raise_softirq(void) { } + + #endif /* CONFIG_HIGH_RES_TIMERS */ + +@@ -850,7 +855,7 @@ hrtimer_start(struct hrtimer *timer, kti + { + struct hrtimer_clock_base *base, *new_base; + unsigned long flags; +- int ret; ++ int ret, raise; + + base = lock_hrtimer_base(timer, &flags); + +@@ -884,8 +889,18 @@ hrtimer_start(struct hrtimer *timer, kti + enqueue_hrtimer(timer, new_base, + new_base->cpu_base == &__get_cpu_var(hrtimer_bases)); + ++ /* ++ * The timer may be expired and moved to the cb_pending ++ * list. We can not raise the softirq with base lock held due ++ * to a possible deadlock with runqueue lock. ++ */ ++ raise = timer->state == HRTIMER_STATE_PENDING; ++ + unlock_hrtimer_base(timer, &flags); + ++ if (raise) ++ hrtimer_raise_softirq(); ++ + return ret; + } + EXPORT_SYMBOL_GPL(hrtimer_start); + +-- + diff --git a/queue-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch b/review-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch similarity index 100% rename from queue-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch rename to review-2.6.25/mm-fix-possible-off-by-one-in-walk_pte_range.patch diff --git a/queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch b/review-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch similarity index 100% rename from queue-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch rename to review-2.6.25/net-fix-wrong-interpretation-of-some-copy_to_user-results.patch diff --git a/queue-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch b/review-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch similarity index 100% rename from queue-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch rename to review-2.6.25/rdma-nes-fix-adapter-reset-after-pxe-boot.patch diff --git a/queue-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch b/review-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch similarity index 100% rename from queue-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch rename to review-2.6.25/rdma-nes-free-irq-before-killing-tasklet.patch diff --git a/queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch b/review-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch similarity index 100% rename from queue-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch rename to review-2.6.25/rose-socket-lock-was-not-released-before-returning-to-user-space.patch diff --git a/queue-2.6.25/rtc-pcf8583-build-fix.patch b/review-2.6.25/rtc-pcf8583-build-fix.patch similarity index 100% rename from queue-2.6.25/rtc-pcf8583-build-fix.patch rename to review-2.6.25/rtc-pcf8583-build-fix.patch diff --git a/queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch b/review-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch similarity index 100% rename from queue-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch rename to review-2.6.25/rtnetlink-fix-bogus-assert_rtnl-warning.patch diff --git a/queue-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch b/review-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch similarity index 100% rename from queue-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch rename to review-2.6.25/s2io-fix-memory-leak-during-free_tx_buffers.patch diff --git a/queue-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch b/review-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch similarity index 100% rename from queue-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch rename to review-2.6.25/s2io-version-update-for-memory-leak-fix-during-free_tx_buffers.patch diff --git a/queue-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch b/review-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch similarity index 100% rename from queue-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch rename to review-2.6.25/scsi-qla2xxx-correct-regression-in-relogin-code.patch diff --git a/queue-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch b/review-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch similarity index 100% rename from queue-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch rename to review-2.6.25/selinux-no-bug_on-in-selinux_clone_mnt_opts.patch diff --git a/queue-2.6.25/series b/review-2.6.25/series similarity index 100% rename from queue-2.6.25/series rename to review-2.6.25/series diff --git a/queue-2.6.25/ssb-fix-all-ones-boardflags.patch b/review-2.6.25/ssb-fix-all-ones-boardflags.patch similarity index 100% rename from queue-2.6.25/ssb-fix-all-ones-boardflags.patch rename to review-2.6.25/ssb-fix-all-ones-boardflags.patch diff --git a/queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch b/review-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch similarity index 100% rename from queue-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch rename to review-2.6.25/tcp-increase-the-max_burst-threshold-from-3-to-tp-reordering.patch diff --git a/queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch b/review-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch similarity index 100% rename from queue-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch rename to review-2.6.25/tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch diff --git a/queue-2.6.25/tehuti-check-register-size.patch b/review-2.6.25/tehuti-check-register-size.patch similarity index 100% rename from queue-2.6.25/tehuti-check-register-size.patch rename to review-2.6.25/tehuti-check-register-size.patch diff --git a/queue-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch b/review-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch similarity index 100% rename from queue-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch rename to review-2.6.25/tehuti-move-ioctl-perm-check-closer-to-function-start.patch diff --git a/queue-2.6.25/tg3-5701-dma-corruption-fix.patch b/review-2.6.25/tg3-5701-dma-corruption-fix.patch similarity index 100% rename from queue-2.6.25/tg3-5701-dma-corruption-fix.patch rename to review-2.6.25/tg3-5701-dma-corruption-fix.patch diff --git a/queue-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch b/review-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch similarity index 100% rename from queue-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch rename to review-2.6.25/usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch diff --git a/queue-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch b/review-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch similarity index 100% rename from queue-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch rename to review-2.6.25/usb-log-an-error-message-when-usb-enumeration-fails.patch diff --git a/queue-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch b/review-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch similarity index 100% rename from queue-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch rename to review-2.6.25/usb-ohci-fix-bug-in-controller-resume.patch diff --git a/queue-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch b/review-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch similarity index 100% rename from queue-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch rename to review-2.6.25/v4l-cx88-enable-radio-gpio-correctly.patch diff --git a/queue-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch b/review-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch similarity index 100% rename from queue-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch rename to review-2.6.25/v4l-fix-vidiocgap-corruption-in-ivtv.patch diff --git a/queue-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch b/review-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch similarity index 100% rename from queue-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch rename to review-2.6.25/v4l-tea5761-bugzilla-10462-tea5761-autodetection-code-were-broken.patch diff --git a/queue-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch b/review-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch similarity index 100% rename from queue-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch rename to review-2.6.25/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch diff --git a/queue-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch b/review-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch similarity index 100% rename from queue-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch rename to review-2.6.25/x86-pci-fix-off-by-one-errors-in-some-pirq-warnings.patch