[patch 00/39]

[patch 00/39]

[Chris Wright]

This is the start of the stable review cycle for the 2.6.15.5 release.
There are 39 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
to add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Wed, March 1, 22:30 UTC.  Anything received
after that time, might be too late.

thanks,

the -stable release team
--

[patch 01/39] ppc32: Put cache flush routines back into .relocate_code section

[Chris Wright]

[-- Attachment #1: ppc32-put-cache-flush-routines-back-into-.relocate_code-section.patch --]
[-- Type: text/plain, Size: 2425 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

[PATCH] ppc32: Put cache flush routines back into .relocate_code section

In 2.6.14, we had the following definition of _GLOBAL() in
include/asm-ppc/processor.h:

#define _GLOBAL(n)\
        .stabs __stringify(n:F-1),N_FUN,0,0,n;\
        .globl n;\
n:

In 2.6.15, as part of the great powerpc merge, we moved this definition to
include/asm-powerpc/ppc_asm.h, where it appears (to 32-bit code) as:

#define _GLOBAL(n)      \
        .text;          \
        .stabs __stringify(n:F-1),N_FUN,0,0,n;\
        .globl n;       \
n:

Mostly, this is fine.  However, we also have the following, in
arch/ppc/boot/common/util.S:

        .section ".relocate_code","xa"
[...]
_GLOBAL(flush_instruction_cache)
[...]
_GLOBAL(flush_data_cache)
[...]

The addition of the .text section definition in the definition of
_GLOBAL overrides the .relocate_code section definition.  As a result,
these two functions don't end up in .relocate_code, so they don't get
relocated correctly, and the boot fails.

There's another suspicious-looking usage at kernel/swsusp.S:37 that
someone should look into.  I did not exhaustively search the source
tree, though.

The following is the minimal patch that fixes the immediate problem.
I could easily be convinced that the _GLOBAL definition should be
modified to remove the ".text;" line either instead of, or in addition
to, this fix.

Signed-off-by: Paul Janzen <pcj@linux.sez.to>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 arch/ppc/boot/common/util.S |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.15.3.orig/arch/ppc/boot/common/util.S
+++ linux-2.6.15.3/arch/ppc/boot/common/util.S
@@ -234,7 +234,8 @@ udelay:
  * First, flush the data cache in case it was enabled and may be
  * holding instructions for copy back.
  */
-_GLOBAL(flush_instruction_cache)
+        .globl flush_instruction_cache
+flush_instruction_cache:
 	mflr	r6
 	bl	flush_data_cache
 
@@ -279,7 +280,8 @@ _GLOBAL(flush_instruction_cache)
  * Flush data cache
  * Do this by just reading lots of stuff into the cache.
  */
-_GLOBAL(flush_data_cache)
+        .globl flush_data_cache
+flush_data_cache:
 	lis	r3,cache_flush_buffer@h
 	ori	r3,r3,cache_flush_buffer@l
 	li	r4,NUM_CACHE_LINES

--

[patch 02/39] [PATCH] s390: add #ifdef __KERNEL__ to asm-s390/setup.h

[Chris Wright]

[-- Attachment #1: s390-klibc-build-fix-for-2.6.15.patch --]
[-- Type: text/plain, Size: 1244 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Based on a patch from Maximilian Attems <maks@sternwelten.at> .  Nothing in
asm-s390/setup.h is of interest for user space.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 include/asm-s390/setup.h |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

--- linux-2.6.15.4.orig/include/asm-s390/setup.h
+++ linux-2.6.15.4/include/asm-s390/setup.h
@@ -8,6 +8,8 @@
 #ifndef _ASM_S390_SETUP_H
 #define _ASM_S390_SETUP_H
 
+#ifdef __KERNEL__
+
 #include <asm/types.h>
 
 #define PARMAREA		0x10400
@@ -114,7 +116,7 @@ extern u16 ipl_devno;
 				 IPL_PARMBLOCK_ORIGIN)
 #define IPL_PARMBLOCK_SIZE	(IPL_PARMBLOCK_START->hdr.length)
 
-#else 
+#else /* __ASSEMBLY__ */
 
 #ifndef __s390x__
 #define IPL_DEVICE        0x10404
@@ -127,6 +129,6 @@ extern u16 ipl_devno;
 #endif /* __s390x__ */
 #define COMMAND_LINE      0x10480
 
-#endif
-
-#endif
+#endif /* __ASSEMBLY__ */
+#endif /* __KERNEL__ */
+#endif /* _ASM_S390_SETUP_H */

--

[patch 03/39] shmdt cannot detach not-alined shm segment cleanly.

[Chris Wright]

[-- Attachment #1: shmdt-cannot-detach-not-alined-shm-segment-cleanly.patch --]
[-- Type: text/plain, Size: 1322 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

sys_shmdt() can manage shm segments which are covered by multiple vmas.  (This
can happen when a user uses mprotect() after shmat().)

This works well if shm is aligned to PAGE_SIZE, but if not, the last
segment cannot be detached.  It is because a comparison in sys_shmdt()

	(vma->vm_end - addr) < size
		addr == return address of shmat()
		size == shmsize, argments to shmget()

size should be aligned to PAGE_SIZE before being compared with vma->vm_end,
which is aligned.

Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 ipc/shm.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.15.3.orig/ipc/shm.c
+++ linux-2.6.15.3/ipc/shm.c
@@ -863,6 +863,7 @@ asmlinkage long sys_shmdt(char __user *s
 	 * could possibly have landed at. Also cast things to loff_t to
 	 * prevent overflows and make comparisions vs. equal-width types.
 	 */
+	size = PAGE_ALIGN(size);
 	while (vma && (loff_t)(vma->vm_end - addr) <= size) {
 		next = vma->vm_next;
 

--

[patch 04/39] [PATCH] [BRIDGE]: netfilter missing symbol has_bridge_parent

[Chris Wright]

[-- Attachment #1: netfilter-missing-symbol.patch --]
[-- Type: text/plain, Size: 1204 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

5dce971acf2ae20c80d5e9d1f6bbf17376870911 in Linus' tree,
otherwise known as bridge-netfilter-races-on-device-removal.patch in
2.5.15.4 removed has_bridge_parent, however this symbol is still
called with NETFILTER_DEBUG is enabled.

This patch uses the already seeded realoutdev value to detect if a parent
exists, and if so, the value of the parent.

Signed-Off-By: Horms <horms@verge.net.au>
Acked-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 net/bridge/br_netfilter.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.15.4.orig/net/bridge/br_netfilter.c
+++ linux-2.6.15.4/net/bridge/br_netfilter.c
@@ -794,8 +794,8 @@ static unsigned int br_nf_post_routing(u
 print_error:
 	if (skb->dev != NULL) {
 		printk("[%s]", skb->dev->name);
-		if (has_bridge_parent(skb->dev))
-			printk("[%s]", bridge_parent(skb->dev)->name);
+		if (realoutdev)
+			printk("[%s]", realoutdev->name);
 	}
 	printk(" head:%p, raw:%p, data:%p\n", skb->head, skb->mac.raw,
 					      skb->data);

--

[patch 05/39] [PATCH] i386: Move phys_proc_id/early intel workaround to correct function

[Chris Wright]

[-- Attachment #1: i386-move-phys_proc_id-early-intel-workaround-to-correct-function.patch --]
[-- Type: text/plain, Size: 1892 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

early_cpu_detect only runs on the BP, but this code needs to run
on all CPUs. This will fix problems with the powernow-k8 driver
on dual core systems and general misdetection of AMD dual core.

Looks like a mismerge somewhere.  Also add a warning comment.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 arch/i386/kernel/cpu/common.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

--- linux-2.6.15.4.orig/arch/i386/kernel/cpu/common.c
+++ linux-2.6.15.4/arch/i386/kernel/cpu/common.c
@@ -207,7 +207,10 @@ static int __devinit have_cpuid_p(void)
 
 /* Do minimum CPU detection early.
    Fields really needed: vendor, cpuid_level, family, model, mask, cache alignment.
-   The others are not touched to avoid unwanted side effects. */
+   The others are not touched to avoid unwanted side effects.
+
+   WARNING: this function is only called on the BP.  Don't add code here
+   that is supposed to run on all CPUs. */
 static void __init early_cpu_detect(void)
 {
 	struct cpuinfo_x86 *c = &boot_cpu_data;
@@ -239,12 +242,6 @@ static void __init early_cpu_detect(void
 		if (cap0 & (1<<19))
 			c->x86_cache_alignment = ((misc >> 8) & 0xff) * 8;
 	}
-
-	early_intel_workaround(c);
-
-#ifdef CONFIG_X86_HT
-	phys_proc_id[smp_processor_id()] = (cpuid_ebx(1) >> 24) & 0xff;
-#endif
 }
 
 void __devinit generic_identify(struct cpuinfo_x86 * c)
@@ -292,6 +289,12 @@ void __devinit generic_identify(struct c
 				get_model_name(c); /* Default name */
 		}
 	}
+
+	early_intel_workaround(c);
+
+#ifdef CONFIG_X86_HT
+	phys_proc_id[smp_processor_id()] = (cpuid_ebx(1) >> 24) & 0xff;
+#endif
 }
 
 static void __devinit squash_the_stupid_serial_number(struct cpuinfo_x86 *c)

--

[patch 06/39] [PATCH] hugetlbfs mmap ENOMEM failure

[Chris Wright]

[-- Attachment #1: hugetlbfs-mmap-enomem-failure.patch --]
[-- Type: text/plain, Size: 1389 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

2.6.15's hugepage faulting introduced huge_pages_needed accounting into
hugetlbfs: to count how many pages are already in cache, for spot check
on how far a new mapping may be allowed to extend the file.  But it's
muddled: each hugepage found covers HPAGE_SIZE, not PAGE_SIZE.  Once
pages were already in cache, it would overshoot, wrap its hugepages
count backwards, and so fail a harmless repeat mapping with -ENOMEM.
Fixes the problem found by Don Dupuis.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Acked-By: Adam Litke <agl@us.ibm.com>
Acked-by: William Irwin <wli@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 fs/hugetlbfs/inode.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.15.4.orig/fs/hugetlbfs/inode.c
+++ linux-2.6.15.4/fs/hugetlbfs/inode.c
@@ -71,8 +71,8 @@ huge_pages_needed(struct address_space *
 	unsigned long start = vma->vm_start;
 	unsigned long end = vma->vm_end;
 	unsigned long hugepages = (end - start) >> HPAGE_SHIFT;
-	pgoff_t next = vma->vm_pgoff;
-	pgoff_t endpg = next + ((end - start) >> PAGE_SHIFT);
+	pgoff_t next = vma->vm_pgoff >> (HPAGE_SHIFT - PAGE_SHIFT);
+	pgoff_t endpg = next + hugepages;
 
 	pagevec_init(&pvec, 0);
 	while (next < endpg) {

--

[patch 07/39] [PATCH] reiserfs: disable automatic enabling of reiserfs inode attributes

[Chris Wright]

[-- Attachment #1: reiserfs-disable-automatic-enabling-of-reiserfs-inode-attributes.patch --]
[-- Type: text/plain, Size: 1291 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

[PATCH] reiserfs: disable automatic enabling of reiserfs inode attributes

Unfortunately, the reiserfs_attrs_cleared bit in the superblock flag can
lie.  File systems have been observed with the bit set, yet still contain
garbage in the stat data field, causing unpredictable results.

This patch backs out the enable-by-default behavior.

It eliminates the changes from: d50a5cd860ce721dbeac6a4f3c6e42abcde68cd8,
and ef5e5414e7a83eb9b4295bbaba5464410b11e030.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 fs/reiserfs/super.c |    2 --
 1 files changed, 2 deletions(-)

--- linux-2.6.15.4.orig/fs/reiserfs/super.c
+++ linux-2.6.15.4/fs/reiserfs/super.c
@@ -1130,8 +1130,6 @@ static void handle_attrs(struct super_bl
 					 "reiserfs: cannot support attributes until flag is set in super-block");
 			REISERFS_SB(s)->s_mount_opt &= ~(1 << REISERFS_ATTRS);
 		}
-	} else if (le32_to_cpu(rs->s_flags) & reiserfs_attrs_cleared) {
-		REISERFS_SB(s)->s_mount_opt |= (1 << REISERFS_ATTRS);
 	}
 }
 

--

[patch 08/39] [NET]: Revert skb_copy_datagram_iovec() recursion elimination.

[Chris Wright]

[-- Attachment #1: revert-skb_copy_datagram_iovec-recursion-elimination.patch --]
[-- Type: text/plain, Size: 3118 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Revert the following changeset:

bc8dfcb93970ad7139c976356bfc99d7e251deaf

Recursive SKB frag lists are really possible and disallowing
them breaks things.

Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com>

Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 net/core/datagram.c |   81 ++++++++++++++++++++++++++++++++++------------------
 1 files changed, 53 insertions(+), 28 deletions(-)

--- linux-2.6.15.4.orig/net/core/datagram.c
+++ linux-2.6.15.4/net/core/datagram.c
@@ -211,49 +211,74 @@ void skb_free_datagram(struct sock *sk, 
 int skb_copy_datagram_iovec(const struct sk_buff *skb, int offset,
 			    struct iovec *to, int len)
 {
-	int i, err, fraglen, end = 0;
-	struct sk_buff *next = skb_shinfo(skb)->frag_list;
+	int start = skb_headlen(skb);
+	int i, copy = start - offset;
 
-	if (!len)
-		return 0;
+	/* Copy header. */
+	if (copy > 0) {
+		if (copy > len)
+			copy = len;
+		if (memcpy_toiovec(to, skb->data + offset, copy))
+			goto fault;
+		if ((len -= copy) == 0)
+			return 0;
+		offset += copy;
+	}
 
-next_skb:
-	fraglen = skb_headlen(skb);
-	i = -1;
+	/* Copy paged appendix. Hmm... why does this look so complicated? */
+	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
+		int end;
 
-	while (1) {
-		int start = end;
+		BUG_TRAP(start <= offset + len);
 
-		if ((end += fraglen) > offset) {
-			int copy = end - offset, o = offset - start;
+		end = start + skb_shinfo(skb)->frags[i].size;
+		if ((copy = end - offset) > 0) {
+			int err;
+			u8  *vaddr;
+			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+			struct page *page = frag->page;
 
 			if (copy > len)
 				copy = len;
-			if (i == -1)
-				err = memcpy_toiovec(to, skb->data + o, copy);
-			else {
-				skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
-				struct page *page = frag->page;
-				void *p = kmap(page) + frag->page_offset + o;
-				err = memcpy_toiovec(to, p, copy);
-				kunmap(page);
-			}
+			vaddr = kmap(page);
+			err = memcpy_toiovec(to, vaddr + frag->page_offset +
+					     offset - start, copy);
+			kunmap(page);
 			if (err)
 				goto fault;
 			if (!(len -= copy))
 				return 0;
 			offset += copy;
 		}
-		if (++i >= skb_shinfo(skb)->nr_frags)
-			break;
-		fraglen = skb_shinfo(skb)->frags[i].size;
+		start = end;
 	}
-	if (next) {
-		skb = next;
-		BUG_ON(skb_shinfo(skb)->frag_list);
-		next = skb->next;
-		goto next_skb;
+
+	if (skb_shinfo(skb)->frag_list) {
+		struct sk_buff *list = skb_shinfo(skb)->frag_list;
+
+		for (; list; list = list->next) {
+			int end;
+
+			BUG_TRAP(start <= offset + len);
+
+			end = start + list->len;
+			if ((copy = end - offset) > 0) {
+				if (copy > len)
+					copy = len;
+				if (skb_copy_datagram_iovec(list,
+							    offset - start,
+							    to, copy))
+					goto fault;
+				if ((len -= copy) == 0)
+					return 0;
+				offset += copy;
+			}
+			start = end;
+		}
 	}
+	if (!len)
+		return 0;
+
 fault:
 	return -EFAULT;
 }

--

[patch 09/39] [IPV6]: Address autoconfiguration does not work after device down/up cycle

[Chris Wright]

[-- Attachment #1: address-autoconfiguration-does-not-work-after-device-down-up-cycle.patch --]
[-- Type: text/plain, Size: 1244 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

If you set network interface down and up again, the IPv6 address
autoconfiguration does not work. 'ip addr' shows that the link-local
address is in tentative state. We don't even react to periodical router
advertisements.

During NETDEV_DOWN we clear IF_READY, and we don't set it back in
NETDEV_UP. While starting to perform DAD on the link-local address, we
notice that the device is not in IF_READY, and we abort autoconfiguration
process (which would eventually send router solicitations).

Acked-by: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 net/ipv6/addrconf.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.15.4.orig/net/ipv6/addrconf.c
+++ linux-2.6.15.4/net/ipv6/addrconf.c
@@ -2164,6 +2164,9 @@ static int addrconf_notify(struct notifi
 					dev->name);
 				break;
 			}
+
+			if (idev)
+				idev->if_flags |= IF_READY;
 		} else {
 			if (!netif_carrier_ok(dev)) {
 				/* device is still not ready. */

--

[patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown

[Chris Wright]

[-- Attachment #1: i386-x86-64-don-t-ipi-to-offline-cpus-on-shutdown.patch --]
[-- Type: text/plain, Size: 3026 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

So why are we calling smp_send_stop from machine_halt?

We don't.

Looking more closely at the bug report the problem here
is that halt -p is called which triggers not a halt but
an attempt to power off.

machine_power_off calls machine_shutdown which calls smp_send_stop.

If pm_power_off is set we should never make it out machine_power_off
to the call of do_exit.  So pm_power_off must not be set in this case.
When pm_power_off is not set we expect machine_power_off to devolve
into machine_halt.

So how do we fix this?

Playing too much with smp_send_stop is dangerous because it
must also be safe to be called from panic.

It looks like the obviously correct fix is to only call
machine_shutdown when pm_power_off is defined.  Doing
that will make Andi's assumption about not scheduling
true and generally simplify what must be supported.

This turns machine_power_off into a noop like machine_halt
when pm_power_off is not defined.

If the expected behavior is that sys_reboot(LINUX_REBOOT_CMD_POWER_OFF)
becomes sys_reboot(LINUX_REBOOT_CMD_HALT) if pm_power_off is NULL
this is not quite a comprehensive fix as we pass a different parameter
to the reboot notifier and we set system_state to a different value
before calling device_shutdown().

Unfortunately any fix more comprehensive I can think of is not
obviously correct.  The core problem is that there is no architecture
independent way to detect if machine_power will become a noop, without
calling it.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 arch/i386/kernel/reboot.c   |    7 ++++---
 arch/x86_64/kernel/reboot.c |   10 ++++++----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/arch/i386/kernel/reboot.c b/arch/i386/kernel/reboot.c
index 2fa5803..d207242 100644
--- linux-2.6.15.4.orig/arch/i386/kernel/reboot.c
+++ linux-2.6.15.4/arch/i386/kernel/reboot.c
@@ -12,6 +12,7 @@
 #include <linux/efi.h>
 #include <linux/dmi.h>
 #include <linux/ctype.h>
+#include <linux/pm.h>
 #include <asm/uaccess.h>
 #include <asm/apic.h>
 #include <asm/desc.h>
@@ -355,10 +356,10 @@ void machine_halt(void)
 
 void machine_power_off(void)
 {
-	machine_shutdown();
-
-	if (pm_power_off)
+	if (pm_power_off) {
+		machine_shutdown();
 		pm_power_off();
+	}
 }
 
 
--- linux-2.6.15.4.orig/arch/x86_64/kernel/reboot.c
+++ linux-2.6.15.4/arch/x86_64/kernel/reboot.c
@@ -6,6 +6,7 @@
 #include <linux/kernel.h>
 #include <linux/ctype.h>
 #include <linux/string.h>
+#include <linux/pm.h>
 #include <asm/io.h>
 #include <asm/kdebug.h>
 #include <asm/delay.h>
@@ -154,10 +155,11 @@ void machine_halt(void)
 
 void machine_power_off(void)
 {
-	if (!reboot_force) {
-		machine_shutdown();
-	}
-	if (pm_power_off)
+	if (pm_power_off) {
+		if (!reboot_force) {
+			machine_shutdown();
+		}
 		pm_power_off();
+	}
 }
 

--

[patch 11/39] [PATCH] sys_signal: initialize ->sa_mask

[Chris Wright]

[-- Attachment #1: sys_signal-initialize-sa_mask.patch --]
[-- Type: text/plain, Size: 825 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Pointed out by Linus Torvalds.

sys_signal() forgets to initialize ->sa_mask.

( I suspect arch/ia64/ia32/ia32_signal.c:sys32_signal()
  also needs this fix )

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 kernel/signal.c |    1 +
 1 files changed, 1 insertion(+)

--- linux-2.6.15.4.orig/kernel/signal.c
+++ linux-2.6.15.4/kernel/signal.c
@@ -2604,6 +2604,7 @@ sys_signal(int sig, __sighandler_t handl
 
 	new_sa.sa.sa_handler = handler;
 	new_sa.sa.sa_flags = SA_ONESHOT | SA_NOMASK;
+	sigemptyset(&new_sa.sa.sa_mask);
 
 	ret = do_sigaction(sig, &new_sa, &old_sa);
 

--

[patch 12/39] [PATCH] do_sigaction: cleanup ->sa_mask manipulation

[Chris Wright]

[-- Attachment #1: do_sigaction-cleanup-sa_mask-manipulation.patch --]
[-- Type: text/plain, Size: 2297 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Clear unblockable signals beforehand.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 include/linux/sched.h |    2 +-
 kernel/signal.c       |    8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

--- linux-2.6.15.4.orig/include/linux/sched.h
+++ linux-2.6.15.4/include/linux/sched.h
@@ -1075,7 +1075,7 @@ extern struct sigqueue *sigqueue_alloc(v
 extern void sigqueue_free(struct sigqueue *);
 extern int send_sigqueue(int, struct sigqueue *,  struct task_struct *);
 extern int send_group_sigqueue(int, struct sigqueue *,  struct task_struct *);
-extern int do_sigaction(int, const struct k_sigaction *, struct k_sigaction *);
+extern int do_sigaction(int, struct k_sigaction *, struct k_sigaction *);
 extern int do_sigaltstack(const stack_t __user *, stack_t __user *, unsigned long);
 
 /* These can be the second arg to send_sig_info/send_group_sig_info.  */
--- linux-2.6.15.4.orig/kernel/signal.c
+++ linux-2.6.15.4/kernel/signal.c
@@ -2335,7 +2335,7 @@ sys_rt_sigqueueinfo(int pid, int sig, si
 }
 
 int
-do_sigaction(int sig, const struct k_sigaction *act, struct k_sigaction *oact)
+do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact)
 {
 	struct k_sigaction *k;
 
@@ -2358,6 +2358,8 @@ do_sigaction(int sig, const struct k_sig
 		*oact = *k;
 
 	if (act) {
+		sigdelsetmask(&act->sa.sa_mask,
+			      sigmask(SIGKILL) | sigmask(SIGSTOP));
 		/*
 		 * POSIX 3.3.1.3:
 		 *  "Setting a signal action to SIG_IGN for a signal that is
@@ -2383,8 +2385,6 @@ do_sigaction(int sig, const struct k_sig
 			read_lock(&tasklist_lock);
 			spin_lock_irq(&t->sighand->siglock);
 			*k = *act;
-			sigdelsetmask(&k->sa.sa_mask,
-				      sigmask(SIGKILL) | sigmask(SIGSTOP));
 			rm_from_queue(sigmask(sig), &t->signal->shared_pending);
 			do {
 				rm_from_queue(sigmask(sig), &t->pending);
@@ -2397,8 +2397,6 @@ do_sigaction(int sig, const struct k_sig
 		}
 
 		*k = *act;
-		sigdelsetmask(&k->sa.sa_mask,
-			      sigmask(SIGKILL) | sigmask(SIGSTOP));
 	}
 
 	spin_unlock_irq(&current->sighand->siglock);

--

[patch 13/39] [PATCH] [IA64] sys32_signal() forgets to initialize ->sa_mask

[Chris Wright]

[-- Attachment #1: sys32_signal-forgets-to-initialize-sa_mask.patch --]
[-- Type: text/plain, Size: 747 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Pointed out by Oleg Nesterov <oleg@tv-sign.ru>, who in turn
got the hint from Linus.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 arch/ia64/ia32/ia32_signal.c |    1 +
 1 files changed, 1 insertion(+)

--- linux-2.6.15.4.orig/arch/ia64/ia32/ia32_signal.c
+++ linux-2.6.15.4/arch/ia64/ia32/ia32_signal.c
@@ -515,6 +515,7 @@ sys32_signal (int sig, unsigned int hand
 
 	sigact_set_handler(&new_sa, handler, 0);
 	new_sa.sa.sa_flags = SA_ONESHOT | SA_NOMASK;
+	sigemptyset(&new_sa.sa.sa_mask);
 
 	ret = do_sigaction(sig, &new_sa, &old_sa);
 

--

[patch 14/39] [PATCH] Fix s390 build failure.

[Chris Wright]

[-- Attachment #1: fix-s390-build-failure.patch --]
[-- Type: text/plain, Size: 962 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

arch/s390/kernel/compat_signal.c:199: error: conflicting types for 'do_sigaction'
include/linux/sched.h:1115: error: previous declaration of 'do_sigaction' was here

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 arch/s390/kernel/compat_signal.c |    3 ---
 1 files changed, 3 deletions(-)

--- linux-2.6.15.4.orig/arch/s390/kernel/compat_signal.c
+++ linux-2.6.15.4/arch/s390/kernel/compat_signal.c
@@ -258,9 +258,6 @@ sys32_sigaction(int sig, const struct ol
 	return ret;
 }
 
-int
-do_sigaction(int sig, const struct k_sigaction *act, struct k_sigaction *oact);
-
 asmlinkage long
 sys32_rt_sigaction(int sig, const struct sigaction32 __user *act,
 	   struct sigaction32 __user *oact,  size_t sigsetsize)

--

[patch 15/39] [PATCH] [BRIDGE]: Fix deadlock in br_stp_disable_bridge

[Chris Wright]

[-- Attachment #1: fix-deadlock-in-br_stp_disable_bridge.patch --]
[-- Type: text/plain, Size: 1220 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Looks like somebody forgot to use the _bh spin_lock variant. We ran into a
deadlock where br->hello_timer expired while br_stp_disable_br() walked
br->port_list.

Signed-off-by: Adrian Drzewiecki <z@drze.net>
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 net/bridge/br_stp_if.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.15.4.orig/net/bridge/br_stp_if.c
+++ linux-2.6.15.4/net/bridge/br_stp_if.c
@@ -67,7 +67,7 @@ void br_stp_disable_bridge(struct net_br
 {
 	struct net_bridge_port *p;
 
-	spin_lock(&br->lock);
+	spin_lock_bh(&br->lock);
 	list_for_each_entry(p, &br->port_list, list) {
 		if (p->state != BR_STATE_DISABLED)
 			br_stp_disable_port(p);
@@ -76,7 +76,7 @@ void br_stp_disable_bridge(struct net_br
 
 	br->topology_change = 0;
 	br->topology_change_detected = 0;
-	spin_unlock(&br->lock);
+	spin_unlock_bh(&br->lock);
 
 	del_timer_sync(&br->hello_timer);
 	del_timer_sync(&br->topology_change_timer);

--

[patch 16/39] [PATCH] fix zap_threads ptrace related problems

[Chris Wright]

[-- Attachment #1: fix-zap_thread-s-ptrace-related-problems.patch --]
[-- Type: text/plain, Size: 2970 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

1. The tracee can go from ptrace_stop() to do_signal_stop()
   after __ptrace_unlink(p).

2. It is unsafe to __ptrace_unlink(p) while p->parent may wait
   for tasklist_lock in ptrace_detach().

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Christoph Hellwig <hch@lst.de>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 fs/exec.c              |    2 +-
 include/linux/ptrace.h |    1 +
 kernel/ptrace.c        |   25 +++++++++++++++----------
 3 files changed, 17 insertions(+), 11 deletions(-)

--- linux-2.6.15.4.orig/fs/exec.c
+++ linux-2.6.15.4/fs/exec.c
@@ -1403,7 +1403,7 @@ static void zap_threads (struct mm_struc
 		do_each_thread(g,p) {
 			if (mm == p->mm && p != tsk &&
 			    p->ptrace && p->parent->mm == mm) {
-				__ptrace_unlink(p);
+				__ptrace_detach(p, 0);
 			}
 		} while_each_thread(g,p);
 		write_unlock_irq(&tasklist_lock);
--- linux-2.6.15.4.orig/include/linux/ptrace.h
+++ linux-2.6.15.4/include/linux/ptrace.h
@@ -84,6 +84,7 @@ extern int ptrace_readdata(struct task_s
 extern int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long dst, int len);
 extern int ptrace_attach(struct task_struct *tsk);
 extern int ptrace_detach(struct task_struct *, unsigned int);
+extern void __ptrace_detach(struct task_struct *, unsigned int);
 extern void ptrace_disable(struct task_struct *);
 extern int ptrace_check_attach(struct task_struct *task, int kill);
 extern int ptrace_request(struct task_struct *child, long request, long addr, long data);
--- linux-2.6.15.4.orig/kernel/ptrace.c
+++ linux-2.6.15.4/kernel/ptrace.c
@@ -71,8 +71,8 @@ void ptrace_untrace(task_t *child)
  */
 void __ptrace_unlink(task_t *child)
 {
-	if (!child->ptrace)
-		BUG();
+	BUG_ON(!child->ptrace);
+
 	child->ptrace = 0;
 	if (!list_empty(&child->ptrace_list)) {
 		list_del_init(&child->ptrace_list);
@@ -183,22 +183,27 @@ bad:
 	return retval;
 }
 
+void __ptrace_detach(struct task_struct *child, unsigned int data)
+{
+	child->exit_code = data;
+	/* .. re-parent .. */
+	__ptrace_unlink(child);
+	/* .. and wake it up. */
+	if (child->exit_state != EXIT_ZOMBIE)
+		wake_up_process(child);
+}
+
 int ptrace_detach(struct task_struct *child, unsigned int data)
 {
 	if (!valid_signal(data))
-		return	-EIO;
+		return -EIO;
 
 	/* Architecture-specific hardware disable .. */
 	ptrace_disable(child);
 
-	/* .. re-parent .. */
-	child->exit_code = data;
-
 	write_lock_irq(&tasklist_lock);
-	__ptrace_unlink(child);
-	/* .. and wake it up. */
-	if (child->exit_state != EXIT_ZOMBIE)
-		wake_up_process(child);
+	if (child->ptrace)
+		__ptrace_detach(child, data);
 	write_unlock_irq(&tasklist_lock);
 
 	return 0;

--

[patch 17/39] [PATCH] fix deadlock in ext2

[Chris Wright]

[-- Attachment #1: fix-deadlock-in-ext2.patch --]
[-- Type: text/plain, Size: 1813 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fix a deadlock possible in the ext2 file system implementation.  This
deadlock occurs when a file is removed from an ext2 file system which was
mounted with the "sync" mount option.

The problem is that ext2_xattr_delete_inode() was invoking the routine,
sync_dirty_buffer(), using a buffer head which was previously locked via
lock_buffer().  The first thing that sync_dirty_buffer() does is to lock
the buffer head that it was passed.  It does this via lock_buffer().  Oops.

The solution is to unlock the buffer head in ext2_xattr_delete_inode()
before invoking sync_dirty_buffer().  This makes the code in
ext2_xattr_delete_inode() obey the same locking rules as all other callers
of sync_dirty_buffer() in the ext2 file system implementation.

Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 fs/ext2/xattr.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.15.4.orig/fs/ext2/xattr.c
+++ linux-2.6.15.4/fs/ext2/xattr.c
@@ -796,18 +796,20 @@ ext2_xattr_delete_inode(struct inode *in
 		ext2_free_blocks(inode, EXT2_I(inode)->i_file_acl, 1);
 		get_bh(bh);
 		bforget(bh);
+		unlock_buffer(bh);
 	} else {
 		HDR(bh)->h_refcount = cpu_to_le32(
 			le32_to_cpu(HDR(bh)->h_refcount) - 1);
 		if (ce)
 			mb_cache_entry_release(ce);
+		ea_bdebug(bh, "refcount now=%d",
+			le32_to_cpu(HDR(bh)->h_refcount));
+		unlock_buffer(bh);
 		mark_buffer_dirty(bh);
 		if (IS_SYNC(inode))
 			sync_dirty_buffer(bh);
 		DQUOT_FREE_BLOCK(inode, 1);
 	}
-	ea_bdebug(bh, "refcount now=%d", le32_to_cpu(HDR(bh)->h_refcount) - 1);
-	unlock_buffer(bh);
 	EXT2_I(inode)->i_file_acl = 0;
 
 cleanup:

--

[patch 18/39] [PATCH] sys_mbind sanity checking

[Chris Wright]

[-- Attachment #1: sys_mbind-sanity-checking.patch --]
[-- Type: text/plain, Size: 793 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Make sure maxnodes is safe size before calculating nlongs in
get_nodes().

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[chrisw: fix units, pointed out by Andi]
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 mm/mempolicy.c |    2 ++
 1 files changed, 2 insertions(+)

--- linux-2.6.15.4.orig/mm/mempolicy.c
+++ linux-2.6.15.4/mm/mempolicy.c
@@ -524,6 +524,8 @@ static int get_nodes(nodemask_t *nodes, 
 	nodes_clear(*nodes);
 	if (maxnode == 0 || !nmask)
 		return 0;
+	if (maxnode > PAGE_SIZE*BITS_PER_BYTE)
+		return -EINVAL;
 
 	nlongs = BITS_TO_LONGS(maxnode);
 	if ((maxnode % BITS_PER_LONG) == 0)

--

[patch 19/39] [PATCH] it87: Fix oops on removal

[Chris Wright]

[-- Attachment #1: it87-fix-oops-on-removal.patch --]
[-- Type: text/plain, Size: 734 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fix an oops on it87 module removal when no supported hardware was
found.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/hwmon/it87.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.15.4.orig/drivers/hwmon/it87.c
+++ linux-2.6.15.4/drivers/hwmon/it87.c
@@ -1180,7 +1180,8 @@ static int __init sm_it87_init(void)
 
 static void __exit sm_it87_exit(void)
 {
-	i2c_isa_del_driver(&it87_isa_driver);
+	if (isa_address)
+		i2c_isa_del_driver(&it87_isa_driver);
 	i2c_del_driver(&it87_driver);
 }
 

--

[patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only

[Chris Wright]

[-- Attachment #1: hwmon-it87-probe-i2c-0x2d-only.patch --]
[-- Type: text/plain, Size: 1631 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Only scan I2C address 0x2d. This is the default address and no IT87xxF
chip was ever seen on I2C at a different address. These chips are
better accessed through their ISA interface anyway.

This fixes bug #5889, although it doesn't address the whole class
of problems. We'd need the ability to blacklist arbitrary I2C addresses
on systems known to contain I2C devices which behave badly when probed.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 Documentation/hwmon/it87 |    2 +-
 drivers/hwmon/it87.c     |    3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

--- linux-2.6.15.4.orig/Documentation/hwmon/it87
+++ linux-2.6.15.4/Documentation/hwmon/it87
@@ -9,7 +9,7 @@ Supported chips:
                http://www.ite.com.tw/
   * IT8712F
     Prefix: 'it8712'
-    Addresses scanned: I2C 0x28 - 0x2f
+    Addresses scanned: I2C 0x2d
                        from Super I/O config space (8 I/O ports)
     Datasheet: Publicly available at the ITE website
                http://www.ite.com.tw/
--- linux-2.6.15.4.orig/drivers/hwmon/it87.c
+++ linux-2.6.15.4/drivers/hwmon/it87.c
@@ -45,8 +45,7 @@
 
 
 /* Addresses to scan */
-static unsigned short normal_i2c[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
-					0x2e, 0x2f, I2C_CLIENT_END };
+static unsigned short normal_i2c[] = { 0x2d, I2C_CLIENT_END };
 static unsigned short isa_address;
 
 /* Insmod parameters */

--

[patch 21/39] [PATCH] Fix snd-usb-audio in 32-bit compat environment

[Chris Wright]

[-- Attachment #1: fix-snd-usb-audio-in-32-bit-compat-environment.patch --]
[-- Type: text/plain, Size: 1740 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

I'm getting oopses with snd-usb-audio in 32-bit compat environments:
control_compat.c:get_ctl_type() doesn't initialize 'info', so
'itemlist[uinfo->value.enumerated.item]' in
usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
because of the unsigned -> signed conversion.)

Signed-off-by: Juergen Kreileder <jk@blackdown.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

 sound/core/control_compat.c |   16 +++++++++++-----
 1 files changed, 11 insertions(+), 5 deletions(-)

--- linux-2.6.15.4.orig/sound/core/control_compat.c
+++ linux-2.6.15.4/sound/core/control_compat.c
@@ -164,7 +164,7 @@ struct sndrv_ctl_elem_value32 {
 static int get_ctl_type(snd_card_t *card, snd_ctl_elem_id_t *id, int *countp)
 {
 	snd_kcontrol_t *kctl;
-	snd_ctl_elem_info_t info;
+	snd_ctl_elem_info_t *info;
 	int err;
 
 	down_read(&card->controls_rwsem);
@@ -173,13 +173,19 @@ static int get_ctl_type(snd_card_t *card
 		up_read(&card->controls_rwsem);
 		return -ENXIO;
 	}
-	info.id = *id;
-	err = kctl->info(kctl, &info);
+	info = kzalloc(sizeof(*info), GFP_KERNEL);
+	if (info == NULL) {
+		up_read(&card->controls_rwsem);
+		return -ENOMEM;
+	}
+	info->id = *id;
+	err = kctl->info(kctl, info);
 	up_read(&card->controls_rwsem);
 	if (err >= 0) {
-		err = info.type;
-		*countp = info.count;
+		err = info->type;
+		*countp = info->count;
 	}
+	kfree(info);
 	return err;
 }
 

--

[patch 22/39] [PATCH] alsa: fix bogus snd_device_free() in opl3-oss.c

[Chris Wright]

[-- Attachment #1: alsa-fix-bogus-snd_device_free-in-opl3-oss.c.patch --]
[-- Type: text/plain, Size: 855 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Remove snd_device_free() for an opl3-oss instance which should have been
released.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 sound/drivers/opl3/opl3_oss.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.15.4.orig/sound/drivers/opl3/opl3_oss.c
+++ linux-2.6.15.4/sound/drivers/opl3/opl3_oss.c
@@ -146,7 +146,7 @@ void snd_opl3_init_seq_oss(opl3_t *opl3,
 void snd_opl3_free_seq_oss(opl3_t *opl3)
 {
 	if (opl3->oss_seq_dev) {
-		snd_device_free(opl3->card, opl3->oss_seq_dev);
+		/* The instance should have been released in prior */
 		opl3->oss_seq_dev = NULL;
 	}
 }

--

[patch 23/39] [PATCH] cfi: init wait queue in chip struct

[Chris Wright]

[-- Attachment #1: cfi-init-wait-queue-in-chip-struct.patch --]
[-- Type: text/plain, Size: 964 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fix a kernel oops for Intel P30 flashes, where the wait queue head was not
initialized for the flchip struct, which in turn caused a crash at the
first read operation.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/mtd/chips/cfi_cmdset_0001.c |    1 +
 1 files changed, 1 insertion(+)

--- linux-2.6.15.4.orig/drivers/mtd/chips/cfi_cmdset_0001.c
+++ linux-2.6.15.4/drivers/mtd/chips/cfi_cmdset_0001.c
@@ -408,6 +408,7 @@ struct mtd_info *cfi_cmdset_0001(struct 
 		cfi->chips[i].buffer_write_time = 1<<cfi->cfiq->BufWriteTimeoutTyp;
 		cfi->chips[i].erase_time = 1<<cfi->cfiq->BlockEraseTimeoutTyp;
 		cfi->chips[i].ref_point_counter = 0;
+		init_waitqueue_head(&(cfi->chips[i].wq));
 	}
 
 	map->fldrv = &cfi_intelext_chipdrv;

--

[patch 24/39] [PATCH] gbefb: Set default of FB_GBE_MEM to 4 MB

[Chris Wright]

[-- Attachment #1: gbefb-set-default-of-fb_gbe_mem-to-4-mb.patch --]
[-- Type: text/plain, Size: 980 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Allocating more than 4 MB memory for the GBE (SGI O2) framebuffer completely
breakfs gbefb support at the moment.  According to comments on #mipslinux,
more than 4 MB has never worked correctly in Linux.  Therefore, the default
should be 4 MB.

Signed-off-by: Martin Michlmayr <tbm@cyrius.com>
Signed-off-by: Antonino Daplas <adaplas@pol.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/video/Kconfig |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.15.4.orig/drivers/video/Kconfig
+++ linux-2.6.15.4/drivers/video/Kconfig
@@ -520,7 +520,7 @@ config FB_GBE
 config FB_GBE_MEM
 	int "Video memory size in MB"
 	depends on FB_GBE
-	default 8
+	default 4
 	help
 	  This is the amount of memory reserved for the framebuffer,
 	  which can be any value between 1MB and 8MB.

--

[patch 25/39] [PATCH] dm: missing bdput/thaw_bdev at removal

[Chris Wright]

[-- Attachment #1: dm-missing-bdput-thaw_bdev-at-removal.patch --]
[-- Type: text/plain, Size: 919 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Need to unfreeze and release bdev otherwise the bdev inode with
inconsistent state is reused later and cause problem.

Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Acked-by: Alasdair G Kergon <agk@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
[chrisw: backport to 2.6.15]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/md/dm.c |    4 ++++
 1 files changed, 4 insertions(+)

--- linux-2.6.15.4.orig/drivers/md/dm.c
+++ linux-2.6.15.4/drivers/md/dm.c
@@ -812,6 +812,10 @@ static struct mapped_device *alloc_dev(u
 
 static void free_dev(struct mapped_device *md)
 {
+	if (md->frozen_bdev) {
+		thaw_bdev(md->frozen_bdev, NULL);
+		bdput(md->frozen_bdev);
+	}
 	free_minor(md->disk->first_minor);
 	mempool_destroy(md->tio_pool);
 	mempool_destroy(md->io_pool);

--

[patch 26/39] [PATCH] dm: free minor after unlink gendisk

[Chris Wright]

[-- Attachment #1: dm-free-minor-after-unlink-gendisk.patch --]
[-- Type: text/plain, Size: 1110 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Minor number should be freed after del_gendisk().  Otherwise, there could
be a window where 2 registered gendisk has same minor number.

Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Acked-by: Alasdair G Kergon <agk@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
[chrisw: backport to 2.6.15]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/md/dm.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

--- linux-2.6.15.4.orig/drivers/md/dm.c
+++ linux-2.6.15.4/drivers/md/dm.c
@@ -812,14 +812,16 @@ static struct mapped_device *alloc_dev(u
 
 static void free_dev(struct mapped_device *md)
 {
+	unsigned int minor = md->disk->first_minor;
+
 	if (md->frozen_bdev) {
 		thaw_bdev(md->frozen_bdev, NULL);
 		bdput(md->frozen_bdev);
 	}
-	free_minor(md->disk->first_minor);
 	mempool_destroy(md->tio_pool);
 	mempool_destroy(md->io_pool);
 	del_gendisk(md->disk);
+	free_minor(minor);
 	put_disk(md->disk);
 	blk_put_queue(md->queue);
 	kfree(md);

--

[patch 27/39] [PATCH] ramfs: update dir mtime and ctime

[Chris Wright]

[-- Attachment #1: ramfs-update-dir-mtime-and-ctime.patch --]
[-- Type: text/plain, Size: 932 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Phil Marek <philipp.marek@bmlv.gv.at> points out that ramfs forgets to update
a directory's mtime and ctime when it is modified.

Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 fs/ramfs/inode.c |    2 ++
 1 files changed, 2 insertions(+)

--- linux-2.6.15.4.orig/fs/ramfs/inode.c
+++ linux-2.6.15.4/fs/ramfs/inode.c
@@ -27,6 +27,7 @@
 #include <linux/fs.h>
 #include <linux/pagemap.h>
 #include <linux/highmem.h>
+#include <linux/time.h>
 #include <linux/init.h>
 #include <linux/string.h>
 #include <linux/smp_lock.h>
@@ -105,6 +106,7 @@ ramfs_mknod(struct inode *dir, struct de
 		d_instantiate(dentry, inode);
 		dget(dentry);	/* Extra count - pin the dentry in core */
 		error = 0;
+		dir->i_mtime = dir->i_ctime = CURRENT_TIME;
 	}
 	return error;
 }

--

[patch 28/39] [PATCH] gbefb: IP32 gbefb depth change fix

[Chris Wright]

[-- Attachment #1: gbefb-ip32-gbefb-depth-change-fix.patch --]
[-- Type: text/plain, Size: 1189 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

The gbefb driver does not update the framebuffer layers visual setting when
depth is changed with fbset, resulting in strange colors (very dark blue in
16-bit, almost black in 24-bit).

Signed-off-by: Kaj-Michael Lang <milang@tal.org>
Signed-off-by: Martin Michlmayr <tbm@cyrius.com>
Signed-off-by: Antonino Daplas <adaplas@pol.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/video/gbefb.c |    3 +++
 1 files changed, 3 insertions(+)

--- linux-2.6.15.4.orig/drivers/video/gbefb.c
+++ linux-2.6.15.4/drivers/video/gbefb.c
@@ -656,12 +656,15 @@ static int gbefb_set_par(struct fb_info 
 	switch (bytesPerPixel) {
 	case 1:
 		SET_GBE_FIELD(WID, TYP, val, GBE_CMODE_I8);
+		info->fix.visual = FB_VISUAL_PSEUDOCOLOR;
 		break;
 	case 2:
 		SET_GBE_FIELD(WID, TYP, val, GBE_CMODE_ARGB5);
+		info->fix.visual = FB_VISUAL_TRUECOLOR;
 		break;
 	case 4:
 		SET_GBE_FIELD(WID, TYP, val, GBE_CMODE_RGB8);
+		info->fix.visual = FB_VISUAL_TRUECOLOR;
 		break;
 	}
 	SET_GBE_FIELD(WID, BUF, val, GBE_BMODE_BOTH);

--

[patch 29/39] [PATCH] skge: speed setting

[Chris Wright]

[-- Attachment #1: skge-speed-setting.patch --]
[-- Type: text/plain, Size: 1571 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

This is a clone of John Linville's fixed for speed setting on sky2 driver.
The skge driver has the same code (and bug). It would not allow manually forcing
100 and 10 mbit.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/skge.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletion(-)

--- linux-2.6.15.4.orig/drivers/net/skge.c
+++ linux-2.6.15.4/drivers/net/skge.c
@@ -1698,6 +1698,7 @@ static void yukon_mac_init(struct skge_h
 	skge_write32(hw, SK_REG(port, GPHY_CTRL), reg | GPC_RST_SET);
 	skge_write32(hw, SK_REG(port, GPHY_CTRL), reg | GPC_RST_CLR);
 	skge_write32(hw, SK_REG(port, GMAC_CTRL), GMC_PAUSE_ON | GMC_RST_CLR);
+
 	if (skge->autoneg == AUTONEG_DISABLE) {
 		reg = GM_GPCR_AU_ALL_DIS;
 		gma_write16(hw, port, GM_GP_CTRL,
@@ -1705,16 +1706,23 @@ static void yukon_mac_init(struct skge_h
 
 		switch (skge->speed) {
 		case SPEED_1000:
+			reg &= ~GM_GPCR_SPEED_100;
 			reg |= GM_GPCR_SPEED_1000;
-			/* fallthru */
+			break;
 		case SPEED_100:
+			reg &= ~GM_GPCR_SPEED_1000;
 			reg |= GM_GPCR_SPEED_100;
+			break;
+		case SPEED_10:
+			reg &= ~(GM_GPCR_SPEED_1000 | GM_GPCR_SPEED_100);
+			break;
 		}
 
 		if (skge->duplex == DUPLEX_FULL)
 			reg |= GM_GPCR_DUP_FULL;
 	} else
 		reg = GM_GPCR_SPEED_1000 | GM_GPCR_SPEED_100 | GM_GPCR_DUP_FULL;
+
 	switch (skge->flow_control) {
 	case FLOW_MODE_NONE:
 		skge_write32(hw, SK_REG(port, GMAC_CTRL), GMC_PAUSE_OFF);

--

[patch 30/39] [PATCH] skge: fix NAPI/irq race

[Chris Wright]

[-- Attachment #1: skge-fix-napi-irq-race.patch --]
[-- Type: text/plain, Size: 1739 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fix a race in the receive NAPI, irq handling. The interrupt clear and the
start need to be separated.  Otherwise there is a window between the last
frame received and the NAPI done level handling.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/skge.c |   17 +++++------------
 1 files changed, 5 insertions(+), 12 deletions(-)

--- linux-2.6.15.4.orig/drivers/net/skge.c
+++ linux-2.6.15.4/drivers/net/skge.c
@@ -2675,8 +2675,7 @@ static int skge_poll(struct net_device *
 
 	/* restart receiver */
 	wmb();
-	skge_write8(hw, Q_ADDR(rxqaddr[skge->port], Q_CSR),
-		    CSR_START | CSR_IRQ_CL_F);
+	skge_write8(hw, Q_ADDR(rxqaddr[skge->port], Q_CSR), CSR_START);
 
 	*budget -= work_done;
 	dev->quota -= work_done;
@@ -2853,14 +2852,6 @@ static void skge_extirq(unsigned long da
 	local_irq_enable();
 }
 
-static inline void skge_wakeup(struct net_device *dev)
-{
-	struct skge_port *skge = netdev_priv(dev);
-
-	prefetch(skge->rx_ring.to_clean);
-	netif_rx_schedule(dev);
-}
-
 static irqreturn_t skge_intr(int irq, void *dev_id, struct pt_regs *regs)
 {
 	struct skge_hw *hw = dev_id;
@@ -2871,13 +2862,15 @@ static irqreturn_t skge_intr(int irq, vo
 
 	status &= hw->intr_mask;
 	if (status & IS_R1_F) {
+		skge_write8(hw, Q_ADDR(Q_R1, Q_CSR), CSR_IRQ_CL_F);
 		hw->intr_mask &= ~IS_R1_F;
-		skge_wakeup(hw->dev[0]);
+		netif_rx_schedule(hw->dev[0]);
 	}
 
 	if (status & IS_R2_F) {
+		skge_write8(hw, Q_ADDR(Q_R2, Q_CSR), CSR_IRQ_CL_F);
 		hw->intr_mask &= ~IS_R2_F;
-		skge_wakeup(hw->dev[1]);
+		netif_rx_schedule(hw->dev[1]);
 	}
 
 	if (status & IS_XA1_F)

--

[patch 31/39] [PATCH] skge: genesis phy initialization fix

[Chris Wright]

[-- Attachment #1: skge-genesis-phy-initialization-fix.patch --]
[-- Type: text/plain, Size: 2679 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

The SysKonnect Genesis based board would fail on initialization
with phy_read errors caused by not waiting for last phy write.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/skge.c |   37 ++++++++++++++++++++++++++-----------
 1 files changed, 26 insertions(+), 11 deletions(-)

--- linux-2.6.15.4.orig/drivers/net/skge.c
+++ linux-2.6.15.4/drivers/net/skge.c
@@ -880,13 +880,12 @@ static int __xm_phy_read(struct skge_hw 
 	int i;
 
 	xm_write16(hw, port, XM_PHY_ADDR, reg | hw->phy_addr);
-	xm_read16(hw, port, XM_PHY_DATA);
+	*val = xm_read16(hw, port, XM_PHY_DATA);
 
-	/* Need to wait for external PHY */
 	for (i = 0; i < PHY_RETRIES; i++) {
-		udelay(1);
 		if (xm_read16(hw, port, XM_MMU_CMD) & XM_MMU_PHY_RDY)
 			goto ready;
+		udelay(1);
 	}
 
 	return -ETIMEDOUT;
@@ -919,7 +918,12 @@ static int xm_phy_write(struct skge_hw *
 
  ready:
 	xm_write16(hw, port, XM_PHY_DATA, val);
-	return 0;
+	for (i = 0; i < PHY_RETRIES; i++) {
+		if (!(xm_read16(hw, port, XM_MMU_CMD) & XM_MMU_PHY_BUSY))
+			return 0;
+		udelay(1);
+	}
+	return -ETIMEDOUT;
 }
 
 static void genesis_init(struct skge_hw *hw)
@@ -1169,13 +1173,17 @@ static void genesis_mac_init(struct skge
 	u32 r;
 	const u8 zero[6]  = { 0 };
 
-	/* Clear MIB counters */
-	xm_write16(hw, port, XM_STAT_CMD,
-			XM_SC_CLR_RXC | XM_SC_CLR_TXC);
-	/* Clear two times according to Errata #3 */
-	xm_write16(hw, port, XM_STAT_CMD,
-			XM_SC_CLR_RXC | XM_SC_CLR_TXC);
+	for (i = 0; i < 10; i++) {
+		skge_write16(hw, SK_REG(port, TX_MFF_CTRL1),
+			     MFF_SET_MAC_RST);
+		if (skge_read16(hw, SK_REG(port, TX_MFF_CTRL1)) & MFF_SET_MAC_RST)
+			goto reset_ok;
+		udelay(1);
+	}
 
+	printk(KERN_WARNING PFX "%s: genesis reset failed\n", dev->name);
+
+ reset_ok:
 	/* Unreset the XMAC. */
 	skge_write16(hw, SK_REG(port, TX_MFF_CTRL1), MFF_CLR_MAC_RST);
 
@@ -1192,7 +1200,7 @@ static void genesis_mac_init(struct skge
 		r |= GP_DIR_2|GP_IO_2;
 
 	skge_write32(hw, B2_GP_IO, r);
-	skge_read32(hw, B2_GP_IO);
+
 
 	/* Enable GMII interface */
 	xm_write16(hw, port, XM_HW_CFG, XM_HW_GMII_MD);
@@ -1206,6 +1214,13 @@ static void genesis_mac_init(struct skge
 	for (i = 1; i < 16; i++)
 		xm_outaddr(hw, port, XM_EXM(i), zero);
 
+	/* Clear MIB counters */
+	xm_write16(hw, port, XM_STAT_CMD,
+			XM_SC_CLR_RXC | XM_SC_CLR_TXC);
+	/* Clear two times according to Errata #3 */
+	xm_write16(hw, port, XM_STAT_CMD,
+			XM_SC_CLR_RXC | XM_SC_CLR_TXC);
+
 	/* configure Rx High Water Mark (XM_RX_HI_WM) */
 	xm_write16(hw, port, XM_RX_HI_WM, 1450);
 

--

[patch 32/39] [PATCH] skge: fix SMP race

[Chris Wright]

[-- Attachment #1: skge-fix-smp-race.patch --]
[-- Type: text/plain, Size: 3029 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

If skge is attached to a bad cable, that goes up/down.
It exposes an SMP race with the management of IRQ mask

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 drivers/net/skge.c |   21 ++++++++++++++-------
 drivers/net/skge.h |    1 +
 2 files changed, 15 insertions(+), 7 deletions(-)

--- linux-2.6.15.4.orig/drivers/net/skge.c
+++ linux-2.6.15.4/drivers/net/skge.c
@@ -2182,8 +2182,10 @@ static int skge_up(struct net_device *de
 	skge->tx_avail = skge->tx_ring.count - 1;
 
 	/* Enable IRQ from port */
+	spin_lock_irq(&hw->hw_lock);
 	hw->intr_mask |= portirqmask[port];
 	skge_write32(hw, B0_IMSK, hw->intr_mask);
+	spin_unlock_irq(&hw->hw_lock);
 
 	/* Initialize MAC */
 	spin_lock_bh(&hw->phy_lock);
@@ -2241,8 +2243,10 @@ static int skge_down(struct net_device *
 	else
 		yukon_stop(skge);
 
+	spin_lock_irq(&hw->hw_lock);
 	hw->intr_mask &= ~portirqmask[skge->port];
 	skge_write32(hw, B0_IMSK, hw->intr_mask);
+	spin_unlock_irq(&hw->hw_lock);
 
 	/* Stop transmitter */
 	skge_write8(hw, Q_ADDR(txqaddr[port], Q_CSR), CSR_STOP);
@@ -2698,10 +2702,11 @@ static int skge_poll(struct net_device *
 	if (work_done >=  to_do)
 		return 1; /* not done */
 
-	netif_rx_complete(dev);
-	hw->intr_mask |= portirqmask[skge->port];
-	skge_write32(hw, B0_IMSK, hw->intr_mask);
-	skge_read32(hw, B0_IMSK);
+	spin_lock_irq(&hw->hw_lock);
+	__netif_rx_complete(dev);
+  	hw->intr_mask |= portirqmask[skge->port];
+  	skge_write32(hw, B0_IMSK, hw->intr_mask);
+ 	spin_unlock_irq(&hw->hw_lock);
 
 	return 0;
 }
@@ -2861,10 +2866,10 @@ static void skge_extirq(unsigned long da
 	}
 	spin_unlock(&hw->phy_lock);
 
-	local_irq_disable();
+	spin_lock_irq(&hw->hw_lock);
 	hw->intr_mask |= IS_EXT_REG;
 	skge_write32(hw, B0_IMSK, hw->intr_mask);
-	local_irq_enable();
+	spin_unlock_irq(&hw->hw_lock);
 }
 
 static irqreturn_t skge_intr(int irq, void *dev_id, struct pt_regs *regs)
@@ -2875,7 +2880,7 @@ static irqreturn_t skge_intr(int irq, vo
 	if (status == 0 || status == ~0) /* hotplug or shared irq */
 		return IRQ_NONE;
 
-	status &= hw->intr_mask;
+	spin_lock(&hw->hw_lock);
 	if (status & IS_R1_F) {
 		skge_write8(hw, Q_ADDR(Q_R1, Q_CSR), CSR_IRQ_CL_F);
 		hw->intr_mask &= ~IS_R1_F;
@@ -2927,6 +2932,7 @@ static irqreturn_t skge_intr(int irq, vo
 	}
 
 	skge_write32(hw, B0_IMSK, hw->intr_mask);
+	spin_unlock(&hw->hw_lock);
 
 	return IRQ_HANDLED;
 }
@@ -3285,6 +3291,7 @@ static int __devinit skge_probe(struct p
 
 	hw->pdev = pdev;
 	spin_lock_init(&hw->phy_lock);
+	spin_lock_init(&hw->hw_lock);
 	tasklet_init(&hw->ext_tasklet, skge_extirq, (unsigned long) hw);
 
 	hw->regs = ioremap_nocache(pci_resource_start(pdev, 0), 0x4000);
--- linux-2.6.15.4.orig/drivers/net/skge.h
+++ linux-2.6.15.4/drivers/net/skge.h
@@ -2473,6 +2473,7 @@ struct skge_hw {
 
 	struct tasklet_struct ext_tasklet;
 	spinlock_t	     phy_lock;
+	spinlock_t	     hw_lock;
 };
 
 enum {

--

[patch 33/39] [PATCH] x86_64: Check for bad elf entry address

[Chris Wright]

[-- Attachment #1: x86_64-check-for-bad-elf-entry-address.patch --]
[-- Type: text/plain, Size: 824 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fixes a local DOS on Intel systems that lead to an endless
recursive fault.  AMD machines don't seem to be affected.

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/binfmt_elf.c |    5 +++++
 1 files changed, 5 insertions(+)

--- linux-2.6.15.4.orig/fs/binfmt_elf.c
+++ linux-2.6.15.4/fs/binfmt_elf.c
@@ -932,6 +932,11 @@ static int load_elf_binary(struct linux_
 		kfree(elf_interpreter);
 	} else {
 		elf_entry = loc->elf_ex.e_entry;
+		if (BAD_ADDR(elf_entry)) {
+			send_sig(SIGSEGV, current, 0);
+			retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+			goto out_free_dentry;
+		}
 	}
 
 	kfree(elf_phdata);

--

[patch 34/39] [NETLINK]: Fix a severe bug

[Chris Wright]

[-- Attachment #1: fix-a-severe-bug.patch --]
[-- Type: text/plain, Size: 3095 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

netlink overrun was broken while improvement of netlink.
Destination socket is used in the place where it was meant to be source socket,
so that now overrun is never sent to user netlink sockets, when it should be,
and it even can be set on kernel socket, which results in complete deadlock
of rtnetlink.

Suggested fix is to restore status quo passing source socket as additional
argument to netlink_attachskb().

A little explanation: overrun is set on a socket, when it failed
to receive some message and sender of this messages does not or even
have no way to handle this error. This happens in two cases:
1. when kernel sends something. Kernel never retransmits and cannot
   wait for buffer space.
2. when user sends a broadcast and the message was not delivered
   to some recipients.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 include/linux/netlink.h  |    3 ++-
 ipc/mqueue.c             |    3 ++-
 net/netlink/af_netlink.c |    7 ++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

--- linux-2.6.15.4.orig/include/linux/netlink.h
+++ linux-2.6.15.4/include/linux/netlink.h
@@ -160,7 +160,8 @@ extern int netlink_unregister_notifier(s
 
 /* finegrained unicast helpers: */
 struct sock *netlink_getsockbyfilp(struct file *filp);
-int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock, long timeo);
+int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock,
+		long timeo, struct sock *ssk);
 void netlink_detachskb(struct sock *sk, struct sk_buff *skb);
 int netlink_sendskb(struct sock *sk, struct sk_buff *skb, int protocol);
 
--- linux-2.6.15.4.orig/ipc/mqueue.c
+++ linux-2.6.15.4/ipc/mqueue.c
@@ -1017,7 +1017,8 @@ retry:
 				goto out;
 			}
 
-			ret = netlink_attachskb(sock, nc, 0, MAX_SCHEDULE_TIMEOUT);
+			ret = netlink_attachskb(sock, nc, 0,
+					MAX_SCHEDULE_TIMEOUT, NULL);
 			if (ret == 1)
 		       		goto retry;
 			if (ret) {
--- linux-2.6.15.4.orig/net/netlink/af_netlink.c
+++ linux-2.6.15.4/net/netlink/af_netlink.c
@@ -701,7 +701,8 @@ struct sock *netlink_getsockbyfilp(struc
  * 0: continue
  * 1: repeat lookup - reference dropped while waiting for socket memory.
  */
-int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock, long timeo)
+int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock,
+		long timeo, struct sock *ssk)
 {
 	struct netlink_sock *nlk;
 
@@ -711,7 +712,7 @@ int netlink_attachskb(struct sock *sk, s
 	    test_bit(0, &nlk->state)) {
 		DECLARE_WAITQUEUE(wait, current);
 		if (!timeo) {
-			if (!nlk->pid)
+			if (!ssk || nlk_sk(ssk)->pid == 0)
 				netlink_overrun(sk);
 			sock_put(sk);
 			kfree_skb(skb);
@@ -796,7 +797,7 @@ retry:
 		kfree_skb(skb);
 		return PTR_ERR(sk);
 	}
-	err = netlink_attachskb(sk, skb, nonblock, timeo);
+	err = netlink_attachskb(sk, skb, nonblock, timeo, ssk);
 	if (err == 1)
 		goto retry;
 	if (err)

--

[patch 35/39] [PATCH] sd: fix memory corruption with broken mode page headers

[Chris Wright]

[-- Attachment #1: sd-fix-memory-corruption-with-broken-mode-page-headers.patch --]
[-- Type: text/plain, Size: 3012 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

There's a problem in sd where we blindly believe the length of the
headers and block descriptors.  Some devices return insane values for
these and cause our length to end up greater than the actual buffer
size, so check to make sure.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Also removed the buffer size magic number (512) and added DPOFUA of
zero to the defaults

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

rediff for 2.6.15.x without DPOFUA bit, taken from commit
489708007785389941a89fa06aedc5ec53303c96

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
fixes http://bugzilla.kernel.org/show_bug.cgi?id=6114 and
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182005

 drivers/scsi/sd.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

--- linux-2.6.15.4.orig/drivers/scsi/sd.c
+++ linux-2.6.15.4/drivers/scsi/sd.c
@@ -88,6 +88,11 @@
 #define SD_MAX_RETRIES		5
 #define SD_PASSTHROUGH_RETRIES	1
 
+/*
+ * Size of the initial data buffer for mode and read capacity data
+ */
+#define SD_BUF_SIZE		512
+
 static void scsi_disk_release(struct kref *kref);
 
 struct scsi_disk {
@@ -1299,7 +1304,7 @@ sd_do_mode_sense(struct scsi_device *sdp
 
 /*
  * read write protect setting, if possible - called only in sd_revalidate_disk()
- * called with buffer of length 512
+ * called with buffer of length SD_BUF_SIZE
  */
 static void
 sd_read_write_protect_flag(struct scsi_disk *sdkp, char *diskname,
@@ -1357,7 +1362,7 @@ sd_read_write_protect_flag(struct scsi_d
 
 /*
  * sd_read_cache_type - called only from sd_revalidate_disk()
- * called with buffer of length 512
+ * called with buffer of length SD_BUF_SIZE
  */
 static void
 sd_read_cache_type(struct scsi_disk *sdkp, char *diskname,
@@ -1402,6 +1407,8 @@ sd_read_cache_type(struct scsi_disk *sdk
 
 	/* Take headers and block descriptors into account */
 	len += data.header_length + data.block_descriptor_length;
+	if (len > SD_BUF_SIZE)
+		goto bad_sense;
 
 	/* Get the data */
 	res = sd_do_mode_sense(sdp, dbd, modepage, buffer, len, &data, &sshdr);
@@ -1414,6 +1421,12 @@ sd_read_cache_type(struct scsi_disk *sdk
 		int ct = 0;
 		int offset = data.header_length + data.block_descriptor_length;
 
+		if (offset >= SD_BUF_SIZE - 2) {
+			printk(KERN_ERR "%s: malformed MODE SENSE response",
+				diskname);
+			goto defaults;
+		}
+
 		if ((buffer[offset] & 0x3f) != modepage) {
 			printk(KERN_ERR "%s: got wrong page\n", diskname);
 			goto defaults;
@@ -1472,7 +1485,7 @@ static int sd_revalidate_disk(struct gen
 	if (!scsi_device_online(sdp))
 		goto out;
 
-	buffer = kmalloc(512, GFP_KERNEL | __GFP_DMA);
+	buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL | __GFP_DMA);
 	if (!buffer) {
 		printk(KERN_WARNING "(sd_revalidate_disk:) Memory allocation "
 		       "failure.\n");

--

[patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection

[Chris Wright]

[-- Attachment #1: sbp2-fix-another-deadlock-after-disconnection.patch --]
[-- Type: text/plain, Size: 1447 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

sbp2: fix another deadlock after disconnection

If there were commands enqueued but not completed before an SBP-2 unit
was unplugged (or an attempt to reconnect failed), knodemgrd or any
process which tried to remove the device would sleep uninterruptibly
in blk_execute_rq().  Therefore make sure that all commands are
completed when sbp2 retreats.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
Same as commit bf637ec3ef4159da3dd156ecf6f6987d8c8c5dae in Linus' tree.

 drivers/ieee1394/sbp2.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

--- linux-2.6.15.4.orig/drivers/ieee1394/sbp2.c
+++ linux-2.6.15.4/drivers/ieee1394/sbp2.c
@@ -650,9 +650,15 @@ static int sbp2_remove(struct device *de
 	if (!scsi_id)
 		return 0;
 
-	/* Trigger shutdown functions in scsi's highlevel. */
-	if (scsi_id->scsi_host)
+	if (scsi_id->scsi_host) {
+		/* Get rid of enqueued commands if there is no chance to
+		 * send them. */
+		if (!sbp2util_node_is_available(scsi_id))
+			sbp2scsi_complete_all_commands(scsi_id, DID_NO_CONNECT);
+		/* scsi_remove_device() will trigger shutdown functions of SCSI
+		 * highlevel drivers which would deadlock if blocked. */
 		scsi_unblock_requests(scsi_id->scsi_host);
+	}
 	sdev = scsi_id->sdev;
 	if (sdev) {
 		scsi_id->sdev = NULL;

--

[patch 37/39] [PATCH] XFS ftruncate() bug could expose stale data (CVE-2006-0554)

[Chris Wright]

[-- Attachment #1: xfs-ftruncate-bug-could-expose-stale-data.patch --]
[-- Type: text/plain, Size: 790 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

This is CVE-2006-0554 and SGI bug 942658.  With certain types of
ftruncate() activity on 2.6 kernels, XFS can end up exposing stale
data off disk to a user, putting extents where holes should be.  

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 fs/xfs/linux-2.6/xfs_aops.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.15.4.orig/fs/xfs/linux-2.6/xfs_aops.c
+++ linux-2.6.15.4/fs/xfs/linux-2.6/xfs_aops.c
@@ -385,7 +385,7 @@ xfs_probe_unmapped_cluster(
 
 	/* First sum forwards in this page */
 	do {
-		if (buffer_mapped(bh))
+		if (buffer_mapped(bh) || !buffer_uptodate(bh))
 			break;
 		total += bh->b_size;
 	} while ((bh = bh->b_this_page) != head);

--

[patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

[Chris Wright]

[-- Attachment #1: normal-user-can-panic-nfs-client-with-direct-i-o.patch --]
[-- Type: text/plain, Size: 803 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

 fs/nfs/direct.c |    5 +++++
 1 files changed, 5 insertions(+)

--- linux-2.6.15.4.orig/fs/nfs/direct.c
+++ linux-2.6.15.4/fs/nfs/direct.c
@@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
 		result = get_user_pages(current, current->mm, user_addr,
 					page_count, (rw == READ), 0,
 					*pages, NULL);
+		if (result >= 0 && result < page_count) {
+			nfs_free_user_pages(*pages, result, 0);
+			*pages = NULL;
+			result = -EFAULT;
+		}
 		up_read(&current->mm->mmap_sem);
 	}
 	return result;

--

[patch 39/39] [PATCH] IB/mthca: max_inline_data handling tweaks

[Chris Wright]

[-- Attachment #1: ib-mthca-max_inline_data-handling-tweaks.patch --]
[-- Type: text/plain, Size: 4488 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

Fix a case where copying max_inline_data from a successful create_qp
capabilities output to create_qp input could cause EINVAL error:

mthca_set_qp_size must check max_inline_data directly against
max_desc_sz; checking qp->sq.max_gs is wrong since max_inline_data
depends on the qp type and does not involve max_sg.

Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il>
Signed-off-by: "Michael S. Tsirkin" <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
fixes http://article.gmane.org/gmane.linux.drivers.openib/21118

 drivers/infiniband/hw/mthca/mthca_qp.c |   62 +++++++++++++++++++--------------
 1 files changed, 36 insertions(+), 26 deletions(-)

--- linux-2.6.15.4.orig/drivers/infiniband/hw/mthca/mthca_qp.c
+++ linux-2.6.15.4/drivers/infiniband/hw/mthca/mthca_qp.c
@@ -885,18 +885,13 @@ int mthca_modify_qp(struct ib_qp *ibqp, 
 	return err;
 }
 
-static void mthca_adjust_qp_caps(struct mthca_dev *dev,
-				 struct mthca_pd *pd,
-				 struct mthca_qp *qp)
+static int mthca_max_data_size(struct mthca_dev *dev, struct mthca_qp *qp, int desc_sz)
 {
-	int max_data_size;
-
 	/*
 	 * Calculate the maximum size of WQE s/g segments, excluding
 	 * the next segment and other non-data segments.
 	 */
-	max_data_size = min(dev->limits.max_desc_sz, 1 << qp->sq.wqe_shift) -
-		sizeof (struct mthca_next_seg);
+	int max_data_size = desc_sz - sizeof (struct mthca_next_seg);
 
 	switch (qp->transport) {
 	case MLX:
@@ -915,11 +910,24 @@ static void mthca_adjust_qp_caps(struct 
 		break;
 	}
 
+	return max_data_size;
+}
+
+static inline int mthca_max_inline_data(struct mthca_pd *pd, int max_data_size)
+{
 	/* We don't support inline data for kernel QPs (yet). */
-	if (!pd->ibpd.uobject)
-		qp->max_inline_data = 0;
-        else
-		qp->max_inline_data = max_data_size - MTHCA_INLINE_HEADER_SIZE;
+	return pd->ibpd.uobject ? max_data_size - MTHCA_INLINE_HEADER_SIZE : 0;
+}
+
+static void mthca_adjust_qp_caps(struct mthca_dev *dev,
+				 struct mthca_pd *pd,
+				 struct mthca_qp *qp)
+{
+	int max_data_size = mthca_max_data_size(dev, qp,
+						min(dev->limits.max_desc_sz,
+						    1 << qp->sq.wqe_shift));
+
+	qp->max_inline_data = mthca_max_inline_data(pd, max_data_size);
 
 	qp->sq.max_gs = min_t(int, dev->limits.max_sg,
 			      max_data_size / sizeof (struct mthca_data_seg));
@@ -1186,13 +1194,23 @@ static int mthca_alloc_qp_common(struct 
 }
 
 static int mthca_set_qp_size(struct mthca_dev *dev, struct ib_qp_cap *cap,
-			     struct mthca_qp *qp)
+			     struct mthca_pd *pd, struct mthca_qp *qp)
 {
+	int max_data_size = mthca_max_data_size(dev, qp, dev->limits.max_desc_sz);
+
 	/* Sanity check QP size before proceeding */
-	if (cap->max_send_wr  > dev->limits.max_wqes ||
-	    cap->max_recv_wr  > dev->limits.max_wqes ||
-	    cap->max_send_sge > dev->limits.max_sg   ||
-	    cap->max_recv_sge > dev->limits.max_sg)
+	if (cap->max_send_wr  	 > dev->limits.max_wqes ||
+	    cap->max_recv_wr  	 > dev->limits.max_wqes ||
+	    cap->max_send_sge 	 > dev->limits.max_sg   ||
+	    cap->max_recv_sge 	 > dev->limits.max_sg   ||
+	    cap->max_inline_data > mthca_max_inline_data(pd, max_data_size))
+		return -EINVAL;
+
+	/*
+	 * For MLX transport we need 2 extra S/G entries:
+	 * one for the header and one for the checksum at the end
+	 */
+	if (qp->transport == MLX && cap->max_recv_sge + 2 > dev->limits.max_sg)
 		return -EINVAL;
 
 	if (mthca_is_memfree(dev)) {
@@ -1211,14 +1229,6 @@ static int mthca_set_qp_size(struct mthc
 				    MTHCA_INLINE_CHUNK_SIZE) /
 			      sizeof (struct mthca_data_seg));
 
-	/*
-	 * For MLX transport we need 2 extra S/G entries:
-	 * one for the header and one for the checksum at the end
-	 */
-	if ((qp->transport == MLX && qp->sq.max_gs + 2 > dev->limits.max_sg) ||
-	    qp->sq.max_gs > dev->limits.max_sg || qp->rq.max_gs > dev->limits.max_sg)
-		return -EINVAL;
-
 	return 0;
 }
 
@@ -1233,7 +1243,7 @@ int mthca_alloc_qp(struct mthca_dev *dev
 {
 	int err;
 
-	err = mthca_set_qp_size(dev, cap, qp);
+	err = mthca_set_qp_size(dev, cap, pd, qp);
 	if (err)
 		return err;
 
@@ -1276,7 +1286,7 @@ int mthca_alloc_sqp(struct mthca_dev *de
 	u32 mqpn = qpn * 2 + dev->qp_table.sqp_start + port - 1;
 	int err;
 
-	err = mthca_set_qp_size(dev, cap, &sqp->qp);
+	err = mthca_set_qp_size(dev, cap, pd, &sqp->qp);
 	if (err)
 		return err;
 

--

Re: [patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown

[Andi Kleen]

On Monday 27 February 2006 23:32, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> So why are we calling smp_send_stop from machine_halt?

I don't think that one is really suitable for stable since it's
a relative obscure problem and the fix is not fully clear. Also it might
have side effects. Shouldn't be merged.

-Andi

Re: [patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown

[Chris Wright]

* Andi Kleen (ak@suse.de) wrote:
> On Monday 27 February 2006 23:32, Chris Wright wrote:
> > -stable review patch.  If anyone has any objections, please let us know.
> > ------------------
> > 
> > So why are we calling smp_send_stop from machine_halt?
> 
> I don't think that one is really suitable for stable since it's
> a relative obscure problem and the fix is not fully clear. Also it might
> have side effects. Shouldn't be merged.

This was sent in by both Andrew and Ashok, and is upstream (although Eric
notes there's more to the comprehensive solution).  It allegedly solves:

http://bugzilla.kernel.org/show_bug.cgi?id=6077

Although the reporter seems to have gone silent.  Unless there's some
compelling evidence otherwise, I'm happy to drop it.

thanks,
-chris

Re: [patch 04/39] [PATCH] [BRIDGE]: netfilter missing symbol has_bridge_parent

[Horms]

On Mon, Feb 27, 2006 at 02:32:04PM -0800, Chris Wright wrote:
> -stable review patch.  If anyone has any objections, please let us know.
> ------------------
> 
> 5dce971acf2ae20c80d5e9d1f6bbf17376870911 in Linus' tree,
> otherwise known as bridge-netfilter-races-on-device-removal.patch in
> 2.5.15.4 removed has_bridge_parent, however this symbol is still
> called with NETFILTER_DEBUG is enabled.
> 
> This patch uses the already seeded realoutdev value to detect if a parent
> exists, and if so, the value of the parent.
> 
> Signed-Off-By: Horms <horms@verge.net.au>
> Acked-by: Stephen Hemminger <shemminger@osdl.org>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> ---
> 
>  net/bridge/br_netfilter.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> --- linux-2.6.15.4.orig/net/bridge/br_netfilter.c
> +++ linux-2.6.15.4/net/bridge/br_netfilter.c
> @@ -794,8 +794,8 @@ static unsigned int br_nf_post_routing(u
>  print_error:
>  	if (skb->dev != NULL) {
>  		printk("[%s]", skb->dev->name);
> -		if (has_bridge_parent(skb->dev))
> -			printk("[%s]", bridge_parent(skb->dev)->name);
> +		if (realoutdev)
> +			printk("[%s]", realoutdev->name);
>  	}
>  	printk(" head:%p, raw:%p, data:%p\n", skb->head, skb->mac.raw,
>  					      skb->data);
> 
> --

I double checked, and that is the aggregate fix that was added
to Linus' tree, it should solve the problem at hand.

-- 
Horms

Re: [patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown

[Eric W. Biederman]

Chris Wright <chrisw@sous-sol.org> writes:

> * Andi Kleen (ak@suse.de) wrote:
>> On Monday 27 February 2006 23:32, Chris Wright wrote:
>> > -stable review patch.  If anyone has any objections, please let us know.
>> > ------------------
>> > 
>> > So why are we calling smp_send_stop from machine_halt?
>> 
>> I don't think that one is really suitable for stable since it's
>> a relative obscure problem and the fix is not fully clear. Also it might
>> have side effects. Shouldn't be merged.
>
> This was sent in by both Andrew and Ashok, and is upstream (although Eric
> notes there's more to the comprehensive solution).  It allegedly solves:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6077
>
> Although the reporter seems to have gone silent.  Unless there's some
> compelling evidence otherwise, I'm happy to drop it.

The comprehensive fix for 2.6.15.x is to remove -p from /sbin/halt
if your machine has this problem.  I have just updated the bugzilla
entry so we can remember this.

There are no security implications to this, either since this is a crash
when attempting to power off the machine.

Eric

Re: [patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown

[Chris Wright]

* Eric W. Biederman (ebiederm@xmission.com) wrote:
> The comprehensive fix for 2.6.15.x is to remove -p from /sbin/halt
> if your machine has this problem.  I have just updated the bugzilla
> entry so we can remember this.

fix...workaround... ;-)  At any rate, I've dropped this one.  Thanks
to you and Andi for reviewing.

thanks,
-chris

Re: [patch 18/39] [PATCH] sys_mbind sanity checking

[Dave Jones]

On Mon, Feb 27, 2006 at 02:32:18PM -0800, Chris Wright wrote:
 > -stable review patch.  If anyone has any objections, please let us know.
 > ------------------
 > 
 > Make sure maxnodes is safe size before calculating nlongs in
 > get_nodes().
 > 
 > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 > Signed-off-by: Linus Torvalds <torvalds@osdl.org>
 > [chrisw: fix units, pointed out by Andi]
 > Cc: Andi Kleen <ak@suse.de>
 > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 > ---
 > 
 >  mm/mempolicy.c |    2 ++
 >  1 files changed, 2 insertions(+)
 > 
 > --- linux-2.6.15.4.orig/mm/mempolicy.c
 > +++ linux-2.6.15.4/mm/mempolicy.c
 > @@ -524,6 +524,8 @@ static int get_nodes(nodemask_t *nodes, 
 >  	nodes_clear(*nodes);
 >  	if (maxnode == 0 || !nmask)
 >  		return 0;
 > +	if (maxnode > PAGE_SIZE*BITS_PER_BYTE)
 > +		return -EINVAL;
 >  
 >  	nlongs = BITS_TO_LONGS(maxnode);
 >  	if ((maxnode % BITS_PER_LONG) == 0)

Gar..

mm/mempolicy.c: In function 'get_nodes':
mm/mempolicy.c:527: error: 'BITS_PER_BYTE' undeclared (first use in this function)
mm/mempolicy.c:527: error: (Each undeclared identifier is reported only once
mm/mempolicy.c:527: error: for each function it appears in.)

About to retry a build with the below patch which should do the trick.
(How did this *ever* build?)

Signed-off-by: Dave Jones <davej@redhat.com>

--- linux-2.6.15/include/linux/types.h~	2006-03-01 23:05:24.000000000 -0500
+++ linux-2.6.15/include/linux/types.h	2006-03-01 23:05:57.000000000 -0500
@@ -8,6 +8,7 @@
 	(((bits)+BITS_PER_LONG-1)/BITS_PER_LONG)
 #define DECLARE_BITMAP(name,bits) \
 	unsigned long name[BITS_TO_LONGS(bits)]
+#define BITS_PER_BYTE 8
 #endif
 
 #include <linux/posix_types.h>

Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

[Dave Jones]

On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
 > -stable review patch.  If anyone has any objections, please let us know.
 > ------------------
 > 
 > This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
 > NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
 > 
 > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 > ---
 > 
 >  fs/nfs/direct.c |    5 +++++
 >  1 files changed, 5 insertions(+)
 > 
 > --- linux-2.6.15.4.orig/fs/nfs/direct.c
 > +++ linux-2.6.15.4/fs/nfs/direct.c
 > @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
 >  		result = get_user_pages(current, current->mm, user_addr,
 >  					page_count, (rw == READ), 0,
 >  					*pages, NULL);
 > +		if (result >= 0 && result < page_count) {
 > +			nfs_free_user_pages(*pages, result, 0);
 > +			*pages = NULL;
 > +			result = -EFAULT;
 > +		}
 >  		up_read(&current->mm->mmap_sem);
 >  	}
 >  	return result;

Also broken in 2.6.15.5 it seems :-/

fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here

Some function juggling should do the trick.

Signed-off-by: Dave Jones <davej@redhat.com>

--- linux-2.6.15/fs/nfs/direct.c~	2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c	2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
 				error;		/* any reported error */
 };
 
+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+	int i;
+	for (i = 0; i < npages; i++) {
+		if (do_dirty)
+			set_page_dirty_lock(pages[i]);
+		page_cache_release(pages[i]);
+	}
+	kfree(pages);
+}
 
 /**
  * nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
 }
 
 /**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
-	int i;
-	for (i = 0; i < npages; i++) {
-		if (do_dirty)
-			set_page_dirty_lock(pages[i]);
-		page_cache_release(pages[i]);
-	}
-	kfree(pages);
-}
-
-/**
  * nfs_direct_req_release - release  nfs_direct_req structure for direct read
  * @kref: kref object embedded in an nfs_direct_req structure
  *

Re: [stable] Re: [patch 18/39] [PATCH] sys_mbind sanity checking

[Chris Wright]

* Dave Jones (davej@redhat.com) wrote:
> Gar..
> 
> mm/mempolicy.c: In function 'get_nodes':
> mm/mempolicy.c:527: error: 'BITS_PER_BYTE' undeclared (first use in this function)
> mm/mempolicy.c:527: error: (Each undeclared identifier is reported only once
> mm/mempolicy.c:527: error: for each function it appears in.)
> 
> About to retry a build with the below patch which should do the trick.
> (How did this *ever* build?)

Egads, this is a terrible release.  Thanks, that is the same macro
that's in Linus' tree which is the base I tested the original patch on,
and it's off on the configs I'm testing -stable with so I completely
missed the trivial brokeness.

thanks,
-chris

Re: [stable] Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

[Chris Wright]

* Dave Jones (davej@redhat.com) wrote:
> Also broken in 2.6.15.5 it seems :-/

Indeed, the diff below effectively replaces what's in 2.6.15.5 with
what Trond had sent me.  Should fix the compile error and keep in sync
with what's going upstream.
--

Compile fix:

fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here

This should now be the same as fix that's going upstream.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
---

 fs/nfs/direct.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletion(-)

--- linux-2.6.15.5.orig/fs/nfs/direct.c
+++ linux-2.6.15.5/fs/nfs/direct.c
@@ -57,6 +57,7 @@
 #define NFSDBG_FACILITY		NFSDBG_VFS
 #define MAX_DIRECTIO_SIZE	(4096UL << PAGE_SHIFT)
 
+static void nfs_free_user_pages(struct page **pages, int npages, int do_dirty);
 static kmem_cache_t *nfs_direct_cachep;
 
 /*
@@ -106,12 +107,16 @@ nfs_get_user_pages(int rw, unsigned long
 		result = get_user_pages(current, current->mm, user_addr,
 					page_count, (rw == READ), 0,
 					*pages, NULL);
+		up_read(&current->mm->mmap_sem);
+		/*
+		 * If we got fewer pages than expected from get_user_pages(),
+		 * the user buffer runs off the end of a mapping; return EFAULT.
+		 */
 		if (result >= 0 && result < page_count) {
 			nfs_free_user_pages(*pages, result, 0);
 			*pages = NULL;
 			result = -EFAULT;
 		}
-		up_read(&current->mm->mmap_sem);
 	}
 	return result;
 }