[patch 00/47] 2.6.25-stable review

[patch 00/47] 2.6.25-stable review

[Greg KH]

This is the start of the stable review cycle for the 2.6.25.7 release.
There are 47 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the Cc:
line.  If you wish to be a reviewer, please email stable@kernel.org to
add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by Monday, Jun 16, 20:00:00 UTC.  Anything
received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.7-rc1.gz
and the diffstat can be found below.


thanks,

the -stable release team

----------


 Documentation/cciss.txt                   |    5 +
 Makefile                                  |    2 
 arch/x86/Kconfig                          |   23 +----
 drivers/block/brd.c                       |    1 
 drivers/block/cciss.c                     |   21 +++--
 drivers/char/pcmcia/ipwireless/hardware.c |   20 ++--
 drivers/cpufreq/cpufreq.c                 |    2 
 drivers/infiniband/core/umem.c            |    2 
 drivers/media/video/bt8xx/bttv-driver.c   |    2 
 drivers/media/video/videobuf-core.c       |    3 
 drivers/mmc/host/wbsd.c                   |   21 ++---
 drivers/net/cassini.c                     |   11 +-
 drivers/net/forcedeth.c                   |   20 ++++
 drivers/net/pppol2tp.c                    |  124 +++++++++++++++++++++++-------
 drivers/net/wireless/b43/main.c           |   12 ++
 drivers/serial/serial_core.c              |    5 -
 drivers/serial/sunhv.c                    |    1 
 drivers/ssb/driver_pcicore.c              |    4 
 drivers/video/hgafb.c                     |   26 +++---
 drivers/video/modedb.c                    |    1 
 fs/cifs/cifsfs.c                          |   21 ++---
 fs/ecryptfs/crypto.c                      |    2 
 fs/ecryptfs/file.c                        |    2 
 fs/ecryptfs/inode.c                       |   15 +--
 fs/pipe.c                                 |    3 
 include/asm-m68k/bitops.h                 |   46 ++++++++++-
 include/linux/pci_ids.h                   |    1 
 include/media/videobuf-core.h             |    3 
 include/net/netlink.h                     |   11 +-
 init/Kconfig                              |    1 
 net/8021q/vlan.c                          |    4 
 net/ax25/ax25_subr.c                      |   11 --
 net/bluetooth/rfcomm/core.c               |    2 
 net/can/raw.c                             |   21 ++---
 net/core/dev.c                            |    2 
 net/ipv4/route.c                          |    2 
 net/ipv4/tcp_cong.c                       |   12 +-
 net/ipv4/tcp_input.c                      |   65 ++++++++++-----
 net/ipv4/tcp_output.c                     |   10 +-
 net/ipv6/route.c                          |    2 
 net/key/af_key.c                          |    2 
 net/mac80211/ieee80211_sta.c              |    5 +
 net/sched/cls_api.c                       |    2 
 sound/pci/emu10k1/emu10k1_main.c          |   15 +--
 sound/pci/hda/patch_realtek.c             |    1 
 45 files changed, 375 insertions(+), 192 deletions(-)

[patch 01/47] b43: Fix controller restart crash

[Greg KH]

[-- Attachment #1: b43-fix-controller-restart-crash.patch --]
[-- Type: text/plain, Size: 1719 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Michael Buesch <mb@bu3sch.de>

upstream commit: 3bf0a32e22fedc0b46443699db2d61ac2a883ac4

This fixes a kernel crash on rmmod, in the case where the controller
was restarted before doing the rmmod.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/wireless/b43/main.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -3818,7 +3818,9 @@ static void b43_chip_reset(struct work_s
 			goto out;
 		}
 	}
-      out:
+out:
+	if (err)
+		wl->current_dev = NULL; /* Failed to init the dev. */
 	mutex_unlock(&wl->mutex);
 	if (err)
 		b43err(wl, "Controller restart FAILED\n");
@@ -3967,9 +3969,11 @@ static void b43_one_core_detach(struct s
 	struct b43_wldev *wldev;
 	struct b43_wl *wl;
 
+	/* Do not cancel ieee80211-workqueue based work here.
+	 * See comment in b43_remove(). */
+
 	wldev = ssb_get_drvdata(dev);
 	wl = wldev->wl;
-	cancel_work_sync(&wldev->restart_work);
 	b43_debugfs_remove_device(wldev);
 	b43_wireless_core_detach(wldev);
 	list_del(&wldev->list);
@@ -4152,6 +4156,10 @@ static void b43_remove(struct ssb_device
 	struct b43_wl *wl = ssb_get_devtypedata(dev);
 	struct b43_wldev *wldev = ssb_get_drvdata(dev);
 
+	/* We must cancel any work here before unregistering from ieee80211,
+	 * as the ieee80211 unreg will destroy the workqueue. */
+	cancel_work_sync(&wldev->restart_work);
+
 	B43_WARN_ON(!wl);
 	if (wl->current_dev == wldev)
 		ieee80211_unregister_hw(wl->hw);

-- 

[patch 02/47] ipwireless: Fix blocked sending

[Greg KH]

[-- Attachment #1: ipwireless-fix-blocked-sending.patch --]
[-- Type: text/plain, Size: 3935 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David Sterba <dsterba@suse.cz>

upstream commit: eb4e545d4ac82d9018487edb4419b33b9930c857

Packet sending is driven by two flags, tx_ready and tx_queued.
It was possible, that there were queued data for sending and
hardware was flagged as blocked but in fact it was not.

The tx_queued was indicator but should be really a counter else
first fragmented packet resets tx_queued flag, but there may be
pending packets which do not get sent.

New semantics:
tx_ready - set, if hw is ready to send packet, no packet is being
           transferred right now
           set the flag right at the place where data are copied
           into hw memory and not earlier without checking if it
           was succesful
tx_queued - count of enqueued packets, including fragments

Tested-by: Michal Rokos <michal.rokos@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/char/pcmcia/ipwireless/hardware.c |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/drivers/char/pcmcia/ipwireless/hardware.c
+++ b/drivers/char/pcmcia/ipwireless/hardware.c
@@ -251,10 +251,11 @@ struct ipw_hardware {
 	int init_loops;
 	struct timer_list setup_timer;
 
+	/* Flag if hw is ready to send next packet */
 	int tx_ready;
-	struct list_head tx_queue[NL_NUM_OF_PRIORITIES];
-	/* True if any packets are queued for transmission */
+	/* Count of pending packets to be sent */
 	int tx_queued;
+	struct list_head tx_queue[NL_NUM_OF_PRIORITIES];
 
 	int rx_bytes_queued;
 	struct list_head rx_queue;
@@ -430,6 +431,8 @@ static int do_send_fragment(struct ipw_h
 
 	spin_lock_irqsave(&hw->spinlock, flags);
 
+	hw->tx_ready = 0;
+
 	if (hw->hw_version == HW_VERSION_1) {
 		outw((unsigned short) length, hw->base_port + IODWR);
 
@@ -518,6 +521,7 @@ static int do_send_packet(struct ipw_har
 
 		spin_lock_irqsave(&hw->spinlock, flags);
 		list_add(&packet->queue, &hw->tx_queue[0]);
+		hw->tx_queued++;
 		spin_unlock_irqrestore(&hw->spinlock, flags);
 	} else {
 		if (packet->packet_callback)
@@ -975,12 +979,10 @@ static int send_pending_packet(struct ip
 	unsigned long flags;
 
 	spin_lock_irqsave(&hw->spinlock, flags);
-	if (hw->tx_queued && hw->tx_ready != 0) {
+	if (hw->tx_queued && hw->tx_ready) {
 		int priority;
 		struct ipw_tx_packet *packet = NULL;
 
-		hw->tx_ready--;
-
 		/* Pick a packet */
 		for (priority = 0; priority < priority_limit; priority++) {
 			if (!list_empty(&hw->tx_queue[priority])) {
@@ -989,6 +991,7 @@ static int send_pending_packet(struct ip
 						struct ipw_tx_packet,
 						queue);
 
+				hw->tx_queued--;
 				list_del(&packet->queue);
 
 				break;
@@ -999,6 +1002,7 @@ static int send_pending_packet(struct ip
 			spin_unlock_irqrestore(&hw->spinlock, flags);
 			return 0;
 		}
+
 		spin_unlock_irqrestore(&hw->spinlock, flags);
 
 		/* Send */
@@ -1089,7 +1093,7 @@ static irqreturn_t ipwireless_handle_v1_
 		if (irqn & IR_TXINTR) {
 			ack |= IR_TXINTR;
 			spin_lock_irqsave(&hw->spinlock, flags);
-			hw->tx_ready++;
+			hw->tx_ready = 1;
 			spin_unlock_irqrestore(&hw->spinlock, flags);
 		}
 		/* Received data */
@@ -1196,7 +1200,7 @@ static irqreturn_t ipwireless_handle_v2_
 	if (memrxdone & MEMRX_RX_DONE) {
 		writew(0, &hw->memory_info_regs->memreg_rx_done);
 		spin_lock_irqsave(&hw->spinlock, flags);
-		hw->tx_ready++;
+		hw->tx_ready = 1;
 		spin_unlock_irqrestore(&hw->spinlock, flags);
 		tx = 1;
 	}
@@ -1260,7 +1264,7 @@ static void send_packet(struct ipw_hardw
 
 	spin_lock_irqsave(&hw->spinlock, flags);
 	list_add_tail(&packet->queue, &hw->tx_queue[priority]);
-	hw->tx_queued = 1;
+	hw->tx_queued++;
 	spin_unlock_irqrestore(&hw->spinlock, flags);
 
 	flush_packets_to_hw(hw);

-- 

[patch 03/47] Add rd alias to new brd ramdisk driver

[Greg KH]

[-- Attachment #1: add-rd-alias-to-new-brd-ramdisk-driver.patch --]
[-- Type: text/plain, Size: 805 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Nick Piggin <npiggin@suse.de>

upstream commit: efedf51c866130945b5db755cb58670e60205d83

Alias brd to rd in the hope of helping legacy users. Suggested by Jan.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/block/brd.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -392,6 +392,7 @@ module_param(rd_size, int, 0);
 MODULE_PARM_DESC(rd_size, "Size of each RAM disk in kbytes.");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS_BLOCKDEV_MAJOR(RAMDISK_MAJOR);
+MODULE_ALIAS("rd");
 
 #ifndef MODULE
 /* Legacy boot options - nonmodular */

-- 

[patch 04/47] ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable

[Greg KH]

[-- Attachment #1: ssb-fix-context-assertion-in-ssb_pcicore_dev_irqvecs_enable.patch --]
[-- Type: text/plain, Size: 1080 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Michael Buesch <mb@bu3sch.de>

upstream commit: a3bafeedfff2ac5fa0a316bea4570e27900b6fcc

This fixes a context assertion in ssb that makes b44 print
out warnings on resume.

This fixes the following kernel oops:
http://www.kerneloops.org/oops.php?number=12732
http://www.kerneloops.org/oops.php?number=11410

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 drivers/ssb/driver_pcicore.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ssb/driver_pcicore.c
+++ b/drivers/ssb/driver_pcicore.c
@@ -519,12 +519,12 @@ int ssb_pcicore_dev_irqvecs_enable(struc
 	int err = 0;
 	u32 tmp;
 
-	might_sleep();
-
 	if (!pdev)
 		goto out;
 	bus = pdev->bus;
 
+	might_sleep_if(pdev->id.coreid != SSB_DEV_PCI);
+
 	/* Enable interrupts for this device. */
 	if (bus->host_pci &&
 	    ((pdev->id.revision >= 6) || (pdev->id.coreid == SSB_DEV_PCIE))) {

-- 

[patch 05/47] double-free of inode on alloc_file() failure exit in create_write_pipe()

[Greg KH]

[-- Attachment #1: double-free-of-inode-on-alloc_file-failure-exit-in-create_write_pipe.patch --]
[-- Type: text/plain, Size: 734 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Al Viro <viro@zeniv.linux.org.uk>

upstream commit: ed1524371716466e9c762808b02601d0d0276a92

Duh...  Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/

http://bugzilla.kernel.org/show_bug.cgi?id=10878

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/pipe.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -988,7 +988,10 @@ struct file *create_write_pipe(void)
 	return f;
 
  err_dentry:
+	free_pipe_info(inode);
 	dput(dentry);
+	return ERR_PTR(err);
+
  err_inode:
 	free_pipe_info(inode);
 	iput(inode);

-- 

[patch 06/47] ALSA: hda - Fix resume of auto-config mode with Realtek codecs

[Greg KH]

[-- Attachment #1: alsa-hda-fix-resume-of-auto-config-mode-with-realtek-codecs.patch --]
[-- Type: text/plain, Size: 950 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Takashi Iwai <tiwai@suse.de>

upstream commit: 07bc76dfa19b10017b518dd9aa1b2719e8c863de

The auto-config mode of Realtek ALC codecs has a bug since 2.6.25
that it cannot resume properly.  The problem was the wrong assignment
of init_hook that overrides the whole initialization.

Relevant bug reports:
	http://bugzilla.kernel.org/show_bug.cgi?id=10662
	https://bugzilla.novell.com/show_bug.cgi?id=385473

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 sound/pci/hda/patch_realtek.c |    1 -
 1 file changed, 1 deletion(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -940,7 +940,6 @@ do_sku:
 			    AC_VERB_SET_UNSOLICITED_ENABLE,
 			    AC_USRSP_EN | ALC880_HP_EVENT);
 	spec->unsol_event = alc_sku_unsol_event;
-	spec->init_hook = alc_sku_automute;	
 }
 
 /*

-- 

[patch 07/47] sound: emu10k1 - fix system hang with Audigy2 ZS Notebook PCMCIA card

[Greg KH]

[-- Attachment #1: sound-emu10k1-fix-system-hang-with-audigy2-zs-notebook-pcmcia-card.patch --]
[-- Type: text/plain, Size: 2439 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Jaroslav Franek <jarin.franek@post.cz>

upstream commit: 868e15dbd2940f9453b4399117686f408dc77299

When the Linux kernel is compiled with CONFIG_DEBUG_SHIRQ=y,
the Soundblaster Audigy2 ZS Notebook PCMCIA card causes the
system hang during boot (udev stage) or when the card is hot-plug.
The CONFIG_DEBUG_SHIRQ flag is by default 'y' with all Fedora
kernels since 2.6.23. The problem was reported as
https://bugzilla.redhat.com/show_bug.cgi?id=326411

The issue was hunted down to the snd_emu10k1_create() routine:

/* pseudo-code */
snd_emu10k1_create(...) {
	...
	request_irq(... IRQF_SHARED ...) {
		register the irq handler
		#ifdef CONFIG_DEBUG_SHIRQ
		call the irq handler: snd_emu10k1_interrupt() {
			poll I/O port   // <---- !! system hangs
			...
		}
		#endif
	}
	...
	snd_emu10k1_cardbus_init(...) {
		initialize I/O ports
	}
	...
}

The early access to I/O port in the interrupt handler causes
the freeze. Obviously it is necessary to init the I/O ports
before accessing them. This patch moves the registration of
the irq handler after the initialization of the I/O ports.

Signed-off-by: Jaroslav Franek <jarin.franek@post.cz>
Acked-by: James Courtier-Dutton <James@superbug.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 sound/pci/emu10k1/emu10k1_main.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/sound/pci/emu10k1/emu10k1_main.c
+++ b/sound/pci/emu10k1/emu10k1_main.c
@@ -1817,13 +1817,6 @@ int __devinit snd_emu10k1_create(struct 
 	}
 	emu->port = pci_resource_start(pci, 0);
 
-	if (request_irq(pci->irq, snd_emu10k1_interrupt, IRQF_SHARED,
-			"EMU10K1", emu)) {
-		err = -EBUSY;
-		goto error;
-	}
-	emu->irq = pci->irq;
-
 	emu->max_cache_pages = max_cache_bytes >> PAGE_SHIFT;
 	if (snd_dma_alloc_pages(SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(pci),
 				32 * 1024, &emu->ptb_pages) < 0) {
@@ -1886,6 +1879,14 @@ int __devinit snd_emu10k1_create(struct 
 	emu->fx8010.etram_pages.area = NULL;
 	emu->fx8010.etram_pages.bytes = 0;
 
+	/* irq handler must be registered after I/O ports are activated */
+	if (request_irq(pci->irq, snd_emu10k1_interrupt, IRQF_SHARED,
+			"EMU10K1", emu)) {
+		err = -EBUSY;
+		goto error;
+	}
+	emu->irq = pci->irq;
+
 	/*
 	 *  Init to 0x02109204 :
 	 *  Clock accuracy    = 0     (1000ppm)

-- 

[patch 08/47] ecryptfs: add missing lock around notify_change

[Greg KH]

[-- Attachment #1: ecryptfs-add-missing-lock-around-notify_change.patch --]
[-- Type: text/plain, Size: 985 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Miklos Szeredi <mszeredi@suse.cz>

upstream commit: 9c3580aa52195699065bc2d7242b1c7e3e6903fa

Callers of notify_change() need to hold i_mutex.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/ecryptfs/inode.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -908,7 +908,9 @@ static int ecryptfs_setattr(struct dentr
 	if (ia->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID))
 		ia->ia_valid &= ~ATTR_MODE;
 
+	mutex_lock(&lower_dentry->d_inode->i_mutex);
 	rc = notify_change(lower_dentry, ia);
+	mutex_unlock(&lower_dentry->d_inode->i_mutex);
 out:
 	fsstack_copy_attr_all(inode, lower_inode, NULL);
 	return rc;

-- 

[patch 09/47] eCryptfs: protect crypt_stat->flags in ecryptfs_open()

[Greg KH]

[-- Attachment #1: ecryptfs-protect-crypt_stat-flags-in-ecryptfs_open.patch --]
[-- Type: text/plain, Size: 1032 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Michael Halcrow <mhalcrow@us.ibm.com>

upstream commit: 2f9b12a31fcb738ea8c9eb0d4ddf906c6f1d696c

Make sure crypt_stat->flags is protected with a lock in ecryptfs_open().

Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/ecryptfs/file.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -195,7 +195,9 @@ static int ecryptfs_open(struct inode *i
 		file, ecryptfs_inode_to_private(inode)->lower_file);
 	if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) {
 		ecryptfs_printk(KERN_DEBUG, "This is a directory\n");
+		mutex_lock(&crypt_stat->cs_mutex);
 		crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
+		mutex_unlock(&crypt_stat->cs_mutex);
 		rc = 0;
 		goto out;
 	}

-- 

[patch 10/47] ecryptfs: clean up (un)lock_parent

[Greg KH]

[-- Attachment #1: ecryptfs-clean-up-lock_parent.patch --]
[-- Type: text/plain, Size: 1961 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Miklos Szeredi <mszeredi@suse.cz>

upstream commit: 8dc4e37362a5dc910d704d52ac6542bfd49ddc2f

dget(dentry->d_parent) --> dget_parent(dentry)

unlock_parent() is racy and unnecessary.  Replace single caller with
unlock_dir().

There are several other suspect uses of ->d_parent in ecryptfs...

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/ecryptfs/inode.c |   13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -37,17 +37,11 @@ static struct dentry *lock_parent(struct
 {
 	struct dentry *dir;
 
-	dir = dget(dentry->d_parent);
+	dir = dget_parent(dentry);
 	mutex_lock_nested(&(dir->d_inode->i_mutex), I_MUTEX_PARENT);
 	return dir;
 }
 
-static void unlock_parent(struct dentry *dentry)
-{
-	mutex_unlock(&(dentry->d_parent->d_inode->i_mutex));
-	dput(dentry->d_parent);
-}
-
 static void unlock_dir(struct dentry *dir)
 {
 	mutex_unlock(&dir->d_inode->i_mutex);
@@ -426,8 +420,9 @@ static int ecryptfs_unlink(struct inode 
 	int rc = 0;
 	struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
 	struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+	struct dentry *lower_dir_dentry;
 
-	lock_parent(lower_dentry);
+	lower_dir_dentry = lock_parent(lower_dentry);
 	rc = vfs_unlink(lower_dir_inode, lower_dentry);
 	if (rc) {
 		printk(KERN_ERR "Error in vfs_unlink; rc = [%d]\n", rc);
@@ -439,7 +434,7 @@ static int ecryptfs_unlink(struct inode 
 	dentry->d_inode->i_ctime = dir->i_ctime;
 	d_drop(dentry);
 out_unlock:
-	unlock_parent(lower_dentry);
+	unlock_dir(lower_dir_dentry);
 	return rc;
 }
 

-- 

[patch 11/47] ecryptfs: fix missed mutex_unlock

[Greg KH]

[-- Attachment #1: ecryptfs-fix-missed-mutex_unlock.patch --]
[-- Type: text/plain, Size: 803 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Cyrill Gorcunov <gorcunov@gmail.com>

upstream commit: 71fd5179e8d1d4d503b517e0c5374f7c49540bfc

Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/ecryptfs/crypto.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -1907,9 +1907,9 @@ int ecryptfs_get_tfm_and_mutex_for_ciphe
 			goto out;
 		}
 	}
-	mutex_unlock(&key_tfm_list_mutex);
 	(*tfm) = key_tfm->key_tfm;
 	(*tfm_mutex) = &key_tfm->key_tfm_mutex;
 out:
+	mutex_unlock(&key_tfm_list_mutex);
 	return rc;
 }

-- 

[patch 12/47] fbdev: export symbol fb_mode_option

[Greg KH]

[-- Attachment #1: ps3-fix-frame-buffer-build-error.patch --]
[-- Type: text/plain, Size: 1041 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Geoff Levand <geoffrey.levand@am.sony.com>

upstream commit: 659179b28f15ab1b1db5f8767090f5e728f115a1

Frame buffer and mode setting drivers can be built as modules,
so fb_mode_option needs to be exported to support these.

Prevents this error:

  ERROR: "fb_mode_option" [drivers/ps3/ps3av_mod.ko] undefined!

Signed-off-by: Geoff Levand <geoffrey.levand@am.sony.com>
Acked-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/video/modedb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/video/modedb.c
+++ b/drivers/video/modedb.c
@@ -28,6 +28,7 @@
 #endif
 
 const char *fb_mode_option;
+EXPORT_SYMBOL_GPL(fb_mode_option);
 
     /*
      *  Standard video mode definitions (taken from XFree86)

-- 

[patch 13/47] sunhv: Fix locking in non-paged I/O case.

[Greg KH]

[-- Attachment #1: sunhv-fix-locking-in-non-paged-i-o-case.patch --]
[-- Type: text/plain, Size: 733 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David S. Miller <davem@davemloft.net>

[ upstream commit: 3651751fff44ede58f65cbb1e39242139ead251b ]

This causes the lock to be taken twice, thus resulting in
a deadlock.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/serial/sunhv.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/serial/sunhv.c
+++ b/drivers/serial/sunhv.c
@@ -499,7 +499,6 @@ static void sunhv_console_write_bychar(s
 	} else
 		spin_lock(&port->lock);
 
-	spin_lock_irqsave(&port->lock, flags);
 	for (i = 0; i < n; i++) {
 		if (*s == '\n')
 			sunhv_console_putchar(port, '\r');

-- 

[patch 14/47] af_key: Fix selector family initialization.

[Greg KH]

[-- Attachment #1: af_key-fix-selector-family-initialization.patch --]
[-- Type: text/plain, Size: 975 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Kazunori MIYAZAWA <kazunori@miyazawa.org>

[ upstream commit: 4da5105687e0993a3bbdcffd89b2b94d9377faab ]

This propagates the xfrm_user fix made in commit
bcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 ("[XFRM]: xfrm_user: fix
selector family initialization")

Based upon a bug report from, and tested by, Alan Swanson.

Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/key/af_key.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfr
 		x->sel.prefixlen_s = addr->sadb_address_prefixlen;
 	}
 
-	if (x->props.mode == XFRM_MODE_TRANSPORT)
+	if (!x->sel.family)
 		x->sel.family = x->props.family;
 
 	if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {

-- 

[patch 15/47] ax25: Fix NULL pointer dereference and lockup.

[Greg KH]

[-- Attachment #1: ax25-fix-null-pointer-dereference-and-lockup.patch --]
[-- Type: text/plain, Size: 1538 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Jarek Poplawski <jarkao2@gmail.com>

[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

There is only one function in AX25 calling skb_append(), and it really
looks suspicious: appends skb after previously enqueued one, but in
the meantime this previous skb could be removed from the queue.

This patch Fixes it the simple way, so this is not fully compatible with
the current method, but testing hasn't shown any problems.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ax25/ax25_subr.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/net/ax25/ax25_subr.c
+++ b/net/ax25/ax25_subr.c
@@ -64,20 +64,15 @@ void ax25_frames_acked(ax25_cb *ax25, un
 
 void ax25_requeue_frames(ax25_cb *ax25)
 {
-	struct sk_buff *skb, *skb_prev = NULL;
+	struct sk_buff *skb;
 
 	/*
 	 * Requeue all the un-ack-ed frames on the output queue to be picked
 	 * up by ax25_kick called from the timer. This arrangement handles the
 	 * possibility of an empty output queue.
 	 */
-	while ((skb = skb_dequeue(&ax25->ack_queue)) != NULL) {
-		if (skb_prev == NULL)
-			skb_queue_head(&ax25->write_queue, skb);
-		else
-			skb_append(skb_prev, skb, &ax25->write_queue);
-		skb_prev = skb;
-	}
+	while ((skb = skb_dequeue_tail(&ax25->ack_queue)) != NULL)
+		skb_queue_head(&ax25->write_queue, skb);
 }
 
 /*

-- 

[patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[Greg KH]

[-- Attachment #1: bluetooth-fix-locking-bug-in-the-rfcomm-socket-cleanup-handling.patch --]
[-- Type: text/plain, Size: 2009 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Arjan van de Ven <arjan@linux.intel.com>

[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
following operation:

        if (parent && sock_flag(sk, SOCK_ZAPPED)) {
                /* We have to drop DLC lock here, otherwise
                 * rfcomm_sock_destruct() will dead lock. */
                rfcomm_dlc_unlock(d);
                rfcomm_sock_kill(sk);
                rfcomm_dlc_lock(d);
        }
}

which is fine, since rfcomm_sock_kill() will call sk_free() which will call
rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.

HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
called with the rfcomm_dlc_lock() taken. This is the case for all but one
case, and in that case where we don't have the lock, we do a double unlock
followed by an attempt to take the lock, which due to underflow isn't
going anywhere fast.

This patch fixes this by moving the stragling case inside the lock, like
the other usages of the same call are doing in this code.

This was found with the help of the www.kerneloops.org project, where this
deadlock was observed 51 times at this point in time:
http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/bluetooth/rfcomm/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
 
 		rfcomm_dlc_lock(d);
 		d->state = BT_CLOSED;
-		rfcomm_dlc_unlock(d);
 		d->state_change(d, err);
+		rfcomm_dlc_unlock(d);
 
 		skb_queue_purge(&d->tx_queue);
 		rfcomm_dlc_unlink(d);

-- 

[patch 17/47] can: Fix copy_from_user() results interpretation

[Greg KH]

[-- Attachment #1: can-fix-copy_from_user-results-interpretation.patch --]
[-- Type: text/plain, Size: 2062 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Sam Ravnborg <sam@ravnborg.org>

[ Upstream commit: 3f91bd420a955803421f2db17b2e04aacfbb2bb8 ]

Both copy_to_ and _from_user return the number of bytes, that failed to
reach their destination, not the 0/-EXXX values.

Based on patch from Pavel Emelyanov <xemul@openvz.org>

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Oliver Hartkopp <oliver.hartkopp@volkswagen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/can/raw.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -435,15 +435,13 @@ static int raw_setsockopt(struct socket 
 			if (!filter)
 				return -ENOMEM;
 
-			err = copy_from_user(filter, optval, optlen);
-			if (err) {
+			if (copy_from_user(filter, optval, optlen)) {
 				kfree(filter);
-				return err;
+				return -EFAULT;
 			}
 		} else if (count == 1) {
-			err = copy_from_user(&sfilter, optval, optlen);
-			if (err)
-				return err;
+			if (copy_from_user(&sfilter, optval, optlen))
+				return -EFAULT;
 		}
 
 		lock_sock(sk);
@@ -493,9 +491,8 @@ static int raw_setsockopt(struct socket 
 		if (optlen != sizeof(err_mask))
 			return -EINVAL;
 
-		err = copy_from_user(&err_mask, optval, optlen);
-		if (err)
-			return err;
+		if (copy_from_user(&err_mask, optval, optlen))
+			return -EFAULT;
 
 		err_mask &= CAN_ERR_MASK;
 
@@ -531,7 +528,8 @@ static int raw_setsockopt(struct socket 
 		if (optlen != sizeof(ro->loopback))
 			return -EINVAL;
 
-		err = copy_from_user(&ro->loopback, optval, optlen);
+		if (copy_from_user(&ro->loopback, optval, optlen))
+			return -EFAULT;
 
 		break;
 
@@ -539,7 +537,8 @@ static int raw_setsockopt(struct socket 
 		if (optlen != sizeof(ro->recv_own_msgs))
 			return -EINVAL;
 
-		err = copy_from_user(&ro->recv_own_msgs, optval, optlen);
+		if (copy_from_user(&ro->recv_own_msgs, optval, optlen))
+			return -EFAULT;
 
 		break;
 

-- 

[patch 18/47] cassini: Only use chip checksum for ipv4 packets.

[Greg KH]

[-- Attachment #1: cassini-only-use-chip-checksum-for-ipv4-packets.patch --]
[-- Type: text/plain, Size: 1442 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David S. Miller <davem@davemloft.net>

[ upstream commit: b1443e2f6501f06930a162ff1ff08382a98bf23e ]

According to David Monro, at least with Natsemi Saturn chips the
cassini driver has some trouble with ipv6 checksums.

Until we have more information about what's going on here, only
use the chip checksums for ipv4.

This workaround was suggested and tested by David.

Update version and release date.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/cassini.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/net/cassini.c
+++ b/drivers/net/cassini.c
@@ -142,8 +142,8 @@
 
 #define DRV_MODULE_NAME		"cassini"
 #define PFX DRV_MODULE_NAME	": "
-#define DRV_MODULE_VERSION	"1.5"
-#define DRV_MODULE_RELDATE	"4 Jan 2008"
+#define DRV_MODULE_VERSION	"1.6"
+#define DRV_MODULE_RELDATE	"21 May 2008"
 
 #define CAS_DEF_MSG_ENABLE	  \
 	(NETIF_MSG_DRV		| \
@@ -2140,9 +2140,12 @@ end_copy_pkt:
 		if (addr)
 			cas_page_unmap(addr);
 	}
-	skb->csum = csum_unfold(~csum);
-	skb->ip_summed = CHECKSUM_COMPLETE;
 	skb->protocol = eth_type_trans(skb, cp->dev);
+	if (skb->protocol == htons(ETH_P_IP)) {
+		skb->csum = csum_unfold(~csum);
+		skb->ip_summed = CHECKSUM_COMPLETE;
+	} else
+		skb->ip_summed = CHECKSUM_NONE;
 	return len;
 }
 

-- 

[patch 19/47] net: Fix call to ->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags()

[Greg KH]

[-- Attachment #1: net-fix-call-to-change_rx_flags-in-dev_change_flags.patch --]
[-- Type: text/plain, Size: 1114 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: David Woodhouse <dwmw2@infradead.org>

[ upstream commit: 0e91796eb46e29edc791131c832a2232bcaed9dd ]

Am I just being particularly dim today, or can the call to
dev->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags() never
happen?

We've just set dev->flags = flags & IFF_MULTICAST, effectively. So the
condition '(dev->flags ^ flags) & IFF_MULTICAST' is _never_ going to be
true.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3132,7 +3132,7 @@ int dev_change_flags(struct net_device *
 	 *	Load in the correct multicast list now the flags have changed.
 	 */
 
-	if (dev->change_rx_flags && (dev->flags ^ flags) & IFF_MULTICAST)
+	if (dev->change_rx_flags && (old_flags ^ flags) & IFF_MULTICAST)
 		dev->change_rx_flags(dev, IFF_MULTICAST);
 
 	dev_set_rx_mode(dev);

-- 

[patch 20/47] net_sched: cls_api: fix return value for non-existant classifiers

[Greg KH]

[-- Attachment #1: net_sched-cls_api-fix-return-value-for-non-existant-classifiers.patch --]
[-- Type: text/plain, Size: 800 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Patrick McHardy <kaber@trash.net>

[ upstream commit: f2df824948d559ea818e03486a8583e42ea6ab37 ]

cls_api should return ENOENT when the requested classifier doesn't
exist.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/sched/cls_api.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -220,7 +220,7 @@ replay:
 		tp = kzalloc(sizeof(*tp), GFP_KERNEL);
 		if (tp == NULL)
 			goto errout;
-		err = -EINVAL;
+		err = -ENOENT;
 		tp_ops = tcf_proto_lookup_ops(tca[TCA_KIND]);
 		if (tp_ops == NULL) {
 #ifdef CONFIG_KMOD

-- 

[patch 21/47] ipsec: Use the correct ip_local_out function

[Greg KH]

[-- Attachment #1: ipsec-use-the-correct-ip_local_out-function.patch --]
[-- Type: text/plain, Size: 1824 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Herbert Xu <herbert@gondor.apana.org.au>

[ upstream commit: 1ac06e0306d0192a7a4d9ea1c9e06d355ce7e7d3 ]

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/route.c |    2 +-
 net/ipv6/route.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -162,7 +162,7 @@ static struct dst_ops ipv4_dst_ops = {
 	.negative_advice =	ipv4_negative_advice,
 	.link_failure =		ipv4_link_failure,
 	.update_pmtu =		ip_rt_update_pmtu,
-	.local_out =		ip_local_out,
+	.local_out =		__ip_local_out,
 	.entry_size =		sizeof(struct rtable),
 	.entries =		ATOMIC_INIT(0),
 };
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -105,7 +105,7 @@ static struct dst_ops ip6_dst_ops = {
 	.negative_advice	=	ip6_negative_advice,
 	.link_failure		=	ip6_link_failure,
 	.update_pmtu		=	ip6_rt_update_pmtu,
-	.local_out		=	ip6_local_out,
+	.local_out		=	__ip6_local_out,
 	.entry_size		=	sizeof(struct rt6_info),
 	.entries		=	ATOMIC_INIT(0),
 };

-- 

[patch 22/47] netlink: Fix nla_parse_nested_compat() to call nla_parse() directly

[Greg KH]

[-- Attachment #1: netlink-fix-nla_parse_nested_compat-to-call-nla_parse-directly.patch --]
[-- Type: text/plain, Size: 1678 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Thomas Graf <tgraf@suug.ch>

[ upstream commit: b9a2f2e450b0f770bb4347ae8d48eb2dea701e24 ]

The purpose of nla_parse_nested_compat() is to parse attributes which
contain a struct followed by a stream of nested attributes.  So far,
it called nla_parse_nested() to parse the stream of nested attributes
which was wrong, as nla_parse_nested() expects a container attribute
as data which holds the attribute stream.  It needs to call
nla_parse() directly while pointing at the next possible alignment
point after the struct in the beginning of the attribute.

With this patch, I can no longer reproduce the reported leftover
warnings.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 include/net/netlink.h |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -772,12 +772,13 @@ static inline int __nla_parse_nested_com
 					    const struct nla_policy *policy,
 					    int len)
 {
-	if (nla_len(nla) < len)
+	int nested_len = nla_len(nla) - NLA_ALIGN(len);
+
+	if (nested_len < 0)
 		return -1;
-	if (nla_len(nla) >= NLA_ALIGN(len) + sizeof(struct nlattr))
-		return nla_parse_nested(tb, maxtype,
-					nla_data(nla) + NLA_ALIGN(len),
-					policy);
+	if (nested_len >= nla_attr_size(0))
+		return nla_parse(tb, maxtype, nla_data(nla) + NLA_ALIGN(len),
+				 nested_len, policy);
 	memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1));
 	return 0;
 }

-- 

[patch 23/47] l2tp: avoid skb truesize bug if headroom is increased

[Greg KH]

[-- Attachment #1: l2tp-avoid-skb-truesize-bug-if-headroom-is-increased.patch --]
[-- Type: text/plain, Size: 2488 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: James Chapman <jchapman@katalix.com>

[ upstream commit: 090c48d3dd5ea90b37350334aaed9a93b0c1e0a1 ]

A user reported seeing occasional bugs such as the following when
using the L2TP driver.

  SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208

When L2TP adds its header in the transmit path, it might need to
increase the headroom of the skb. In some cases, the increased
headroom trips a kernel bug when the skb is freed because the skb has
grown beyond its truesize value. The fix is to increase the truesize
by the amount of headroom added, after orphaning the skb.

While here, fix a misleading comment.

Thanks to Iouri Kharon <bc-info@styx.cabel.net> for the initial
report and testing the fix.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/pppol2tp.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -980,6 +980,8 @@ static int pppol2tp_xmit(struct ppp_chan
 	__wsum csum = 0;
 	struct udphdr *uh;
 	unsigned int len;
+	int old_headroom;
+	int new_headroom;
 
 	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
 		goto abort;
@@ -1001,16 +1003,18 @@ static int pppol2tp_xmit(struct ppp_chan
 
 	/* Check that there's enough headroom in the skb to insert IP,
 	 * UDP and L2TP and PPP headers. If not enough, expand it to
-	 * make room. Note that a new skb (or a clone) is
-	 * allocated. If we return an error from this point on, make
-	 * sure we free the new skb but do not free the original skb
-	 * since that is done by the caller for the error case.
+	 * make room. Adjust truesize.
 	 */
 	headroom = NET_SKB_PAD + sizeof(struct iphdr) +
 		sizeof(struct udphdr) + hdr_len + sizeof(ppph);
+	old_headroom = skb_headroom(skb);
 	if (skb_cow_head(skb, headroom))
 		goto abort;
 
+	new_headroom = skb_headroom(skb);
+	skb_orphan(skb);
+	skb->truesize += new_headroom - old_headroom;
+
 	/* Setup PPP header */
 	__skb_push(skb, sizeof(ppph));
 	skb->data[0] = ppph[0];
@@ -1065,7 +1069,6 @@ static int pppol2tp_xmit(struct ppp_chan
 	/* Get routing info from the tunnel socket */
 	dst_release(skb->dst);
 	skb->dst = dst_clone(__sk_dst_get(sk_tun));
-	skb_orphan(skb);
 	skb->sk = sk_tun;
 
 	/* Queue the packet to IP for output */

-- 

[patch 24/47] vlan: Correctly handle device notifications for layered VLAN devices

[Greg KH]

[-- Attachment #1: vlan-correctly-handle-device-notifications-for-layered-vlan-devices.patch --]
[-- Type: text/plain, Size: 1094 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Patrick McHardy <kaber@trash.net>

[ upstream commit: 81d85346b3fcd8b3167eac8b5fb415a210bd4345 ]

Commit 30688a9 ([VLAN]: Handle vlan devices net namespace changing)
changed the device notifier to special-case notifications for VLAN
devices, effectively disabling state propagation to underlying VLAN
devices. This is needed for layered VLANs though, so restore the
original behaviour.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/8021q/vlan.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -397,10 +397,8 @@ static int vlan_device_event(struct noti
 	if (dev->nd_net != &init_net)
 		return NOTIFY_DONE;
 
-	if (is_vlan_dev(dev)) {
+	if (is_vlan_dev(dev))
 		__vlan_device_event(dev, event);
-		goto out;
-	}
 
 	grp = __vlan_find_group(dev->ifindex);
 	if (!grp)

-- 

[patch 25/47] tcp: TCP connection times out if ICMP frag needed is delayed

[Greg KH]

[-- Attachment #1: tcp-tcp-connection-times-out-if-icmp-frag-needed-is-delayed.patch --]
[-- Type: text/plain, Size: 2850 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Sridhar Samudrala <sri@us.ibm.com>

[ upstream commit: 7d227cd235c809c36c847d6a597956ad9e9d2bae ]

We are seeing an issue with TCP in handling an ICMP frag needed
message that is received after net.ipv4.tcp_retries1 retransmits.
The default value of retries1 is 3. So if the path mtu changes
and ICMP frag needed is lost for the first 3 retransmits or if
it gets delayed until 3 retransmits are done, TCP doesn't update
MSS correctly and continues to retransmit the orginal message
until it timesout after tcp_retries2 retransmits.

I am seeing this issue even with the latest 2.6.25.4 kernel.

In tcp_retransmit_timer(), when retransmits counter exceeds
tcp_retries1 value, the dst cache entry of the socket is reset.
At this time, if we receive an ICMP frag needed message, the
dst entry gets updated with the new MTU, but the TCP sockets
dst_cache entry remains NULL.

So the next time when we try to retransmit after the ICMP frag
needed is received, tcp_retransmit_skb() gets called. Here the
cur_mss value is calculated at the start of the routine with
a NULL sk_dst_cache. Instead we should call tcp_current_mss after
the rebuild_header that caches the dst entry with the updated mtu.
Also the rebuild_header should be called before tcp_fragment
so that skb is fragmented if the mss goes down.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_output.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1836,7 +1836,7 @@ int tcp_retransmit_skb(struct sock *sk, 
 {
 	struct tcp_sock *tp = tcp_sk(sk);
 	struct inet_connection_sock *icsk = inet_csk(sk);
-	unsigned int cur_mss = tcp_current_mss(sk, 0);
+	unsigned int cur_mss;
 	int err;
 
 	/* Inconslusive MTU probe */
@@ -1858,6 +1858,11 @@ int tcp_retransmit_skb(struct sock *sk, 
 			return -ENOMEM;
 	}
 
+	if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk))
+		return -EHOSTUNREACH; /* Routing failure or similar. */
+
+	cur_mss = tcp_current_mss(sk, 0);
+
 	/* If receiver has shrunk his window, and skb is out of
 	 * new window, do not retransmit it. The exception is the
 	 * case, when window is shrunk to zero. In this case
@@ -1884,9 +1889,6 @@ int tcp_retransmit_skb(struct sock *sk, 
 	    (sysctl_tcp_retrans_collapse != 0))
 		tcp_retrans_try_collapse(sk, skb, cur_mss);
 
-	if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk))
-		return -EHOSTUNREACH; /* Routing failure or similar. */
-
 	/* Some Solaris stacks overoptimize and ignore the FIN on a
 	 * retransmit when old data is attached.  So strip it off
 	 * since it is cheap to do so and saves bytes on the network.

-- 

[patch 26/47] tcp: Allow send-limited cwnd to grow up to max_burst when gso disabled

[Greg KH]

[-- Attachment #1: tcp-allow-send-limited-cwnd-to-grow-up-to-max_burst-when-gso-disabled.patch --]
[-- Type: text/plain, Size: 1172 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: John Heffner <johnwheffner@gmail.com>

[ upstream commit: ce447eb91409225f8a488f6b7b2a1bdf7b2d884f ]

This changes the logic in tcp_is_cwnd_limited() so that cwnd may grow
up to tcp_max_burst() even when sk_can_gso() is false, or when
sysctl_tcp_tso_win_divisor != 0.

Signed-off-by: John Heffner <johnwheffner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_cong.c |   11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -285,14 +285,11 @@ int tcp_is_cwnd_limited(const struct soc
 	if (in_flight >= tp->snd_cwnd)
 		return 1;
 
-	if (!sk_can_gso(sk))
-		return 0;
-
 	left = tp->snd_cwnd - in_flight;
-	if (sysctl_tcp_tso_win_divisor)
-		return left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd;
-	else
-		return left <= tcp_max_burst(tp);
+	if (sk_can_gso(sk) &&
+	    left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd)
+		return 1;
+	return left <= tcp_max_burst(tp);
 }
 EXPORT_SYMBOL_GPL(tcp_is_cwnd_limited);
 

-- 

[patch 27/47] tcp: Limit cwnd growth when deferring for GSO

[Greg KH]

[-- Attachment #1: tcp-limit-cwnd-growth-when-deferring-for-gso.patch --]
[-- Type: text/plain, Size: 1018 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: John Heffner <johnwheffner@gmail.com>

[ upstream commit: 246eb2af060fc32650f07203c02bdc0456ad76c7 ]

This fixes inappropriately large cwnd growth on sender-limited flows
when GSO is enabled, limiting cwnd growth to 64k.

[ Backport to 2.6.25 by replacing sk->sk_gso_max_size with 65536 -DaveM ]

Signed-off-by: John Heffner <johnwheffner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_cong.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -287,7 +287,8 @@ int tcp_is_cwnd_limited(const struct soc
 
 	left = tp->snd_cwnd - in_flight;
 	if (sk_can_gso(sk) &&
-	    left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd)
+	    left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
+	    left * tp->mss_cache < 65536)
 		return 1;
 	return left <= tcp_max_burst(tp);
 }

-- 

[patch 28/47] l2tp: Fix possible WARN_ON from socket code when UDP socket is closed

[Greg KH]

[-- Attachment #1: l2tp-fix-possible-warn_on-from-socket-code-when-udp-socket-is-closed.patch --]
[-- Type: text/plain, Size: 1904 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: James Chapman <jchapman@katalix.com>

[ upstream commit: 199f7d24ae59894243687a234a909f44a8724506 ]

If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.

WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
 [<c0423c58>] warn_on_slowpath+0x41/0x51
 [<c05d33a7>] udp_lib_unhash+0x41/0x68
 [<c059424d>] sk_common_release+0x23/0x90
 [<c05d16be>] udp_lib_close+0x8/0xa
 [<c05d8684>] inet_release+0x42/0x48
 [<c0592599>] sock_release+0x14/0x60
 [<c059299f>] sock_close+0x29/0x30
 [<c046ef52>] __fput+0xad/0x15b
 [<c046f1d9>] fput+0x17/0x19
 [<c046c8c4>] filp_close+0x50/0x5a
 [<c046da06>] sys_close+0x69/0x9f
 [<c04048ce>] syscall_call+0x7/0xb

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/pppol2tp.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -1279,6 +1279,7 @@ out:
 static int pppol2tp_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
+	struct pppol2tp_session *session;
 	int error;
 
 	if (!sk)
@@ -1296,9 +1297,18 @@ static int pppol2tp_release(struct socke
 	sock_orphan(sk);
 	sock->sk = NULL;
 
+	session = pppol2tp_sock_to_session(sk);
+
 	/* Purge any queued data */
 	skb_queue_purge(&sk->sk_receive_queue);
 	skb_queue_purge(&sk->sk_write_queue);
+	if (session != NULL) {
+		struct sk_buff *skb;
+		while ((skb = skb_dequeue(&session->reorder_q))) {
+			kfree_skb(skb);
+			sock_put(sk);
+		}
+	}
 
 	release_sock(sk);
 

-- 

[patch 29/47] l2tp: Fix possible oops if transmitting or receiving when tunnel goes down

[Greg KH]

[-- Attachment #1: l2tp-fix-possible-oops-if-transmitting-or-receiving-when-tunnel-goes-down.patch --]
[-- Type: text/plain, Size: 7930 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: James Chapman <jchapman@katalix.com>

[ upstream commit: 24b95685ffcdb3dc28f64b9e8af6ea3e8360fbc5 ]

Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.

The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.

Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 drivers/net/pppol2tp.c |  101 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 78 insertions(+), 23 deletions(-)

--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -240,12 +240,15 @@ static inline struct pppol2tp_session *p
 	if (sk == NULL)
 		return NULL;
 
+	sock_hold(sk);
 	session = (struct pppol2tp_session *)(sk->sk_user_data);
-	if (session == NULL)
-		return NULL;
+	if (session == NULL) {
+		sock_put(sk);
+		goto out;
+	}
 
 	BUG_ON(session->magic != L2TP_SESSION_MAGIC);
-
+out:
 	return session;
 }
 
@@ -256,12 +259,15 @@ static inline struct pppol2tp_tunnel *pp
 	if (sk == NULL)
 		return NULL;
 
+	sock_hold(sk);
 	tunnel = (struct pppol2tp_tunnel *)(sk->sk_user_data);
-	if (tunnel == NULL)
-		return NULL;
+	if (tunnel == NULL) {
+		sock_put(sk);
+		goto out;
+	}
 
 	BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
-
+out:
 	return tunnel;
 }
 
@@ -716,12 +722,14 @@ discard:
 	session->stats.rx_errors++;
 	kfree_skb(skb);
 	sock_put(session->sock);
+	sock_put(sock);
 
 	return 0;
 
 error:
 	/* Put UDP header back */
 	__skb_push(skb, sizeof(struct udphdr));
+	sock_put(sock);
 
 no_tunnel:
 	return 1;
@@ -745,10 +753,13 @@ static int pppol2tp_udp_encap_recv(struc
 	       "%s: received %d bytes\n", tunnel->name, skb->len);
 
 	if (pppol2tp_recv_core(sk, skb))
-		goto pass_up;
+		goto pass_up_put;
 
+	sock_put(sk);
 	return 0;
 
+pass_up_put:
+	sock_put(sk);
 pass_up:
 	return 1;
 }
@@ -858,7 +869,7 @@ static int pppol2tp_sendmsg(struct kiocb
 
 	tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
 	if (tunnel == NULL)
-		goto error;
+		goto error_put_sess;
 
 	/* What header length is configured for this session? */
 	hdr_len = pppol2tp_l2tp_header_len(session);
@@ -870,7 +881,7 @@ static int pppol2tp_sendmsg(struct kiocb
 			   sizeof(ppph) + total_len,
 			   0, GFP_KERNEL);
 	if (!skb)
-		goto error;
+		goto error_put_sess_tun;
 
 	/* Reserve space for headers. */
 	skb_reserve(skb, NET_SKB_PAD);
@@ -900,7 +911,7 @@ static int pppol2tp_sendmsg(struct kiocb
 	error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
 	if (error < 0) {
 		kfree_skb(skb);
-		goto error;
+		goto error_put_sess_tun;
 	}
 	skb_put(skb, total_len);
 
@@ -947,10 +958,33 @@ static int pppol2tp_sendmsg(struct kiocb
 		session->stats.tx_errors++;
 	}
 
+	return error;
+
+error_put_sess_tun:
+	sock_put(session->tunnel_sock);
+error_put_sess:
+	sock_put(sk);
 error:
 	return error;
 }
 
+/* Automatically called when the skb is freed.
+ */
+static void pppol2tp_sock_wfree(struct sk_buff *skb)
+{
+	sock_put(skb->sk);
+}
+
+/* For data skbs that we transmit, we associate with the tunnel socket
+ * but don't do accounting.
+ */
+static inline void pppol2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
+{
+	sock_hold(sk);
+	skb->sk = sk;
+	skb->destructor = pppol2tp_sock_wfree;
+}
+
 /* Transmit function called by generic PPP driver.  Sends PPP frame
  * over PPPoL2TP socket.
  *
@@ -993,10 +1027,10 @@ static int pppol2tp_xmit(struct ppp_chan
 
 	sk_tun = session->tunnel_sock;
 	if (sk_tun == NULL)
-		goto abort;
+		goto abort_put_sess;
 	tunnel = pppol2tp_sock_to_tunnel(sk_tun);
 	if (tunnel == NULL)
-		goto abort;
+		goto abort_put_sess;
 
 	/* What header length is configured for this session? */
 	hdr_len = pppol2tp_l2tp_header_len(session);
@@ -1009,7 +1043,7 @@ static int pppol2tp_xmit(struct ppp_chan
 		sizeof(struct udphdr) + hdr_len + sizeof(ppph);
 	old_headroom = skb_headroom(skb);
 	if (skb_cow_head(skb, headroom))
-		goto abort;
+		goto abort_put_sess_tun;
 
 	new_headroom = skb_headroom(skb);
 	skb_orphan(skb);
@@ -1069,7 +1103,7 @@ static int pppol2tp_xmit(struct ppp_chan
 	/* Get routing info from the tunnel socket */
 	dst_release(skb->dst);
 	skb->dst = dst_clone(__sk_dst_get(sk_tun));
-	skb->sk = sk_tun;
+	pppol2tp_skb_set_owner_w(skb, sk_tun);
 
 	/* Queue the packet to IP for output */
 	len = skb->len;
@@ -1086,8 +1120,14 @@ static int pppol2tp_xmit(struct ppp_chan
 		session->stats.tx_errors++;
 	}
 
+	sock_put(sk_tun);
+	sock_put(sk);
 	return 1;
 
+abort_put_sess_tun:
+	sock_put(sk_tun);
+abort_put_sess:
+	sock_put(sk);
 abort:
 	/* Free the original skb */
 	kfree_skb(skb);
@@ -1191,7 +1231,7 @@ static void pppol2tp_tunnel_destruct(str
 {
 	struct pppol2tp_tunnel *tunnel;
 
-	tunnel = pppol2tp_sock_to_tunnel(sk);
+	tunnel = sk->sk_user_data;
 	if (tunnel == NULL)
 		goto end;
 
@@ -1230,10 +1270,12 @@ static void pppol2tp_session_destruct(st
 	if (sk->sk_user_data != NULL) {
 		struct pppol2tp_tunnel *tunnel;
 
-		session = pppol2tp_sock_to_session(sk);
+		session = sk->sk_user_data;
 		if (session == NULL)
 			goto out;
 
+		BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+
 		/* Don't use pppol2tp_sock_to_tunnel() here to
 		 * get the tunnel context because the tunnel
 		 * socket might have already been closed (its
@@ -1611,7 +1653,7 @@ static int pppol2tp_connect(struct socke
 
 	error = ppp_register_channel(&po->chan);
 	if (error)
-		goto end;
+		goto end_put_tun;
 
 	/* This is how we get the session context from the socket. */
 	sk->sk_user_data = session;
@@ -1631,6 +1673,8 @@ out_no_ppp:
 	PRINTK(session->debug, PPPOL2TP_MSG_CONTROL, KERN_INFO,
 	       "%s: created\n", session->name);
 
+end_put_tun:
+	sock_put(tunnel_sock);
 end:
 	release_sock(sk);
 
@@ -1671,6 +1715,7 @@ static int pppol2tp_getname(struct socke
 	*usockaddr_len = len;
 
 	error = 0;
+	sock_put(sock->sk);
 
 end:
 	return error;
@@ -1909,14 +1954,17 @@ static int pppol2tp_ioctl(struct socket 
 		err = -EBADF;
 		tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
 		if (tunnel == NULL)
-			goto end;
+			goto end_put_sess;
 
 		err = pppol2tp_tunnel_ioctl(tunnel, cmd, arg);
-		goto end;
+		sock_put(session->tunnel_sock);
+		goto end_put_sess;
 	}
 
 	err = pppol2tp_session_ioctl(session, cmd, arg);
 
+end_put_sess:
+	sock_put(sk);
 end:
 	return err;
 }
@@ -2062,14 +2110,17 @@ static int pppol2tp_setsockopt(struct so
 		err = -EBADF;
 		tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
 		if (tunnel == NULL)
-			goto end;
+			goto end_put_sess;
 
 		err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
+		sock_put(session->tunnel_sock);
 	} else
 		err = pppol2tp_session_setsockopt(sk, session, optname, val);
 
 	err = 0;
 
+end_put_sess:
+	sock_put(sk);
 end:
 	return err;
 }
@@ -2184,20 +2235,24 @@ static int pppol2tp_getsockopt(struct so
 		err = -EBADF;
 		tunnel = pppol2tp_sock_to_tunnel(session->tunnel_sock);
 		if (tunnel == NULL)
-			goto end;
+			goto end_put_sess;
 
 		err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
+		sock_put(session->tunnel_sock);
 	} else
 		err = pppol2tp_session_getsockopt(sk, session, optname, &val);
 
 	err = -EFAULT;
 	if (put_user(len, (int __user *) optlen))
-		goto end;
+		goto end_put_sess;
 
 	if (copy_to_user((void __user *) optval, &val, len))
-		goto end;
+		goto end_put_sess;
 
 	err = 0;
+
+end_put_sess:
+	sock_put(sk);
 end:
 	return err;
 }

-- 

[patch 30/47] tcp: fix skb vs fack_count out-of-sync condition

[Greg KH]

[-- Attachment #1: tcp-fix-skb-vs-fack_count-out-of-sync-condition.patch --]
[-- Type: text/plain, Size: 2837 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>

[ upstream commit: a6604471db5e7a33474a7f16c64d6b118fae3e74 ]

This bug is able to corrupt fackets_out in very rare cases.
In order for this to cause corruption:
  1) DSACK in the middle of previous SACK block must be generated.
  2) In order to take that particular branch, part or all of the
     DSACKed segment must already be SACKed so that we have that
     in cache in the first place.
  3) The new info must be top enough so that fackets_out will be
     updated on this iteration.
...then fack_count is updated while skb wasn't, then we walk again
that particular segment thus updating fack_count twice for
a single skb and finally that value is assigned to fackets_out
by tcp_sacktag_one.

It is safe to call tcp_sacktag_one just once for a segment (at
DSACK), no need to call again for plain SACK.

Potential problem of the miscount are limited to premature entry
to recovery and to inflated reordering metric (which could even
cancel each other out in the most the luckiest scenarios :-)).
Both are quite insignificant in worst case too and there exists
also code to reset them (fackets_out once sacked_out becomes zero
and reordering metric on RTO).

This has been reported by a number of people, because it occurred
quite rarely, it has been very evasive. Andy Furniss was able to
get it to occur couple of times so that a bit more info was
collected about the problem using a debug patch, though it still
required lot of checking around. Thanks also to others who have
tried to help here.

This is listed as Bugzilla #10346. The bug was introduced by
me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing &
sack_recv_cache use), I probably thought back then that there's
need to scan that entry twice or didn't dare to make it go
through it just once there. Going through twice would have
required restoring fack_count after the walk but as noted above,
I chose to drop the additional walk step altogether here.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_input.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1393,9 +1393,9 @@ static struct sk_buff *tcp_maybe_skippin
 
 	if (before(next_dup->start_seq, skip_to_seq)) {
 		skb = tcp_sacktag_skip(skb, sk, next_dup->start_seq, fack_count);
-		tcp_sacktag_walk(skb, sk, NULL,
-				 next_dup->start_seq, next_dup->end_seq,
-				 1, fack_count, reord, flag);
+		skb = tcp_sacktag_walk(skb, sk, NULL,
+				     next_dup->start_seq, next_dup->end_seq,
+				     1, fack_count, reord, flag);
 	}
 
 	return skb;

-- 

[patch 31/47] tcp FRTO: Fix fallback to conventional recovery

[Greg KH]

[-- Attachment #1: tcp-frto-fix-fallback-to-conventional-recovery.patch --]
[-- Type: text/plain, Size: 2007 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>

[ upstream commit: a1c1f281b84a751fdb5ff919da3b09df7297619f ]

It seems that commit 009a2e3e4ec ("[TCP] FRTO: Improve
interoperability with other undo_marker users") run into
another land-mine which caused fallback to conventional
recovery to break:

1. Cumulative ACK arrives after FRTO retransmission
2. tcp_try_to_open sees zero retrans_out, clears retrans_stamp
   which should be kept like in CA_Loss state it would be
3. undo_marker change allowed tcp_packet_delayed to return
   true because of the cleared retrans_stamp once FRTO is
   terminated causing LossUndo to occur, which means all loss
   markings FRTO made are reverted.

This means that the conventional recovery basically recovered
one loss per RTT, which is not that efficient. It was quite
unobvious that the undo_marker change broken something like
this, I had a quite long session to track it down because of
the non-intuitiviness of the bug (luckily I had a trivial
reproducer at hand and I was also able to learn to use kprobes
in the process as well :-)).

This together with the NewReno+FRTO fix and FRTO in-order
workaround this fixes Damon's problems, this and the first
mentioned are enough to fix Bugzilla #10063.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Sebastian Hyrwall <zibbe@cisko.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_input.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2465,7 +2465,7 @@ static void tcp_try_to_open(struct sock 
 
 	tcp_verify_left_out(tp);
 
-	if (tp->retrans_out == 0)
+	if (!tp->frto_counter && tp->retrans_out == 0)
 		tp->retrans_stamp = 0;
 
 	if (flag & FLAG_ECE)

-- 

[patch 32/47] tcp FRTO: SACK variant is errorneously used with NewReno

[Greg KH]

[-- Attachment #1: tcp-frto-sack-variant-is-errorneously-used-with-newreno.patch --]
[-- Type: text/plain, Size: 4138 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>

[ upstream commit: 62ab22278308a40bcb7f4079e9719ab8b7fe11b5 ]

Note: there's actually another bug in FRTO's SACK variant, which
is the causing failure in NewReno case because of the error
that's fixed here. I'll fix the SACK case separately (it's
a separate bug really, though related, but in order to fix that
I need to audit tp->snd_nxt usage a bit).

There were two places where SACK variant of FRTO is getting
incorrectly used even if SACK wasn't negotiated by the TCP flow.
This leads to incorrect setting of frto_highmark with NewReno
if a previous recovery was interrupted by another RTO.

An eventual fallback to conventional recovery then incorrectly
considers one or couple of segments as forward transmissions
though they weren't, which then are not LOST marked during
fallback making them "non-retransmittable" until the next RTO.
In a bad case, those segments are really lost and are the only
one left in the window. Thus TCP needs another RTO to continue.
The next FRTO, however, could again repeat the same events
making the progress of the TCP flow extremely slow.

In order for these events to occur at all, FRTO must occur
again in FRTOs step 3 while the key segments must be lost as
well, which is not too likely in practice. It seems to most
frequently with some small devices such as network printers
that *seem* to accept TCP segments only in-order. In cases
were key segments weren't lost, things get automatically
resolved because those wrongly marked segments don't need to be
retransmitted in order to continue.

I found a reproducer after digging up relevant reports (few
reports in total, none at netdev or lkml I know of), some
cases seemed to indicate middlebox issues which seems now
to be a false assumption some people had made. Bugzilla
#10063 _might_ be related. Damon L. Chesser <damon@damtek.com>
had a reproducable case and was kind enough to tcpdump it
for me. With the tcpdump log it was quite trivial to figure
out.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_input.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -113,8 +113,6 @@ int sysctl_tcp_abc __read_mostly;
 #define FLAG_FORWARD_PROGRESS	(FLAG_ACKED|FLAG_DATA_SACKED)
 #define FLAG_ANY_PROGRESS	(FLAG_FORWARD_PROGRESS|FLAG_SND_UNA_ADVANCED)
 
-#define IsSackFrto() (sysctl_tcp_frto == 0x2)
-
 #define TCP_REMNANT (TCP_FLAG_FIN|TCP_FLAG_URG|TCP_FLAG_SYN|TCP_FLAG_PSH)
 #define TCP_HP_BITS (~(TCP_RESERVED_BITS|TCP_FLAG_PSH))
 
@@ -1685,6 +1683,11 @@ static inline void tcp_reset_reno_sack(s
 	tp->sacked_out = 0;
 }
 
+static int tcp_is_sackfrto(const struct tcp_sock *tp)
+{
+	return (sysctl_tcp_frto == 0x2) && !tcp_is_reno(tp);
+}
+
 /* F-RTO can only be used if TCP has never retransmitted anything other than
  * head (SACK enhanced variant from Appendix B of RFC4138 is more robust here)
  */
@@ -1701,7 +1704,7 @@ int tcp_use_frto(struct sock *sk)
 	if (icsk->icsk_mtup.probe_size)
 		return 0;
 
-	if (IsSackFrto())
+	if (tcp_is_sackfrto(tp))
 		return 1;
 
 	/* Avoid expensive walking of rexmit queue if possible */
@@ -1791,7 +1794,7 @@ void tcp_enter_frto(struct sock *sk)
 	/* Earlier loss recovery underway (see RFC4138; Appendix B).
 	 * The last condition is necessary at least in tp->frto_counter case.
 	 */
-	if (IsSackFrto() && (tp->frto_counter ||
+	if (tcp_is_sackfrto(tp) && (tp->frto_counter ||
 	    ((1 << icsk->icsk_ca_state) & (TCPF_CA_Recovery|TCPF_CA_Loss))) &&
 	    after(tp->high_seq, tp->snd_una)) {
 		tp->frto_highmark = tp->high_seq;
@@ -3110,7 +3113,7 @@ static int tcp_process_frto(struct sock 
 		return 1;
 	}
 
-	if (!IsSackFrto() || tcp_is_reno(tp)) {
+	if (!tcp_is_sackfrto(tp)) {
 		/* RFC4138 shortcoming in step 2; should also have case c):
 		 * ACK isn't duplicate nor advances window, e.g., opposite dir
 		 * data, winupdate

-- 

[patch 33/47] tcp FRTO: work-around inorder receivers

[Greg KH]

[-- Attachment #1: tcp-frto-work-around-inorder-receivers.patch --]
[-- Type: text/plain, Size: 2715 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>

[ upstream commit: 79d44516b4b178ffb6e2159c75584cfcfc097914 ]

If receiver consumes segments successfully only in-order, FRTO
fallback to conventional recovery produces RTO loop because
FRTO's forward transmissions will always get dropped and need to
be resent, yet by default they're not marked as lost (which are
the only segments we will retransmit in CA_Loss).

Price to pay about this is occassionally unnecessarily
retransmitting the forward transmission(s). SACK blocks help
a bit to avoid this, so it's mainly a concern for NewReno case
though SACK is not fully immune either.

This change has a side-effect of fixing SACKFRTO problem where
it didn't have snd_nxt of the RTO time available anymore when
fallback become necessary (this problem would have only occured
when RTO would occur for two or more segments and ECE arrives
in step 3; no need to figure out how to fix that unless the
TODO item of selective behavior is considered in future).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Damon L. Chesser <damon@damtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/ipv4/tcp_input.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1841,9 +1841,16 @@ static void tcp_enter_frto_loss(struct s
 			TCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;
 		}
 
-		/* Don't lost mark skbs that were fwd transmitted after RTO */
-		if (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED) &&
-		    !after(TCP_SKB_CB(skb)->end_seq, tp->frto_highmark)) {
+		/* Marking forward transmissions that were made after RTO lost
+		 * can cause unnecessary retransmissions in some scenarios,
+		 * SACK blocks will mitigate that in some but not in all cases.
+		 * We used to not mark them but it was causing break-ups with
+		 * receivers that do only in-order receival.
+		 *
+		 * TODO: we could detect presence of such receiver and select
+		 * different behavior per flow.
+		 */
+		if (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)) {
 			TCP_SKB_CB(skb)->sacked |= TCPCB_LOST;
 			tp->lost_out += tcp_skb_pcount(skb);
 		}
@@ -1859,7 +1866,7 @@ static void tcp_enter_frto_loss(struct s
 	tp->reordering = min_t(unsigned int, tp->reordering,
 			       sysctl_tcp_reordering);
 	tcp_set_ca_state(sk, TCP_CA_Loss);
-	tp->high_seq = tp->frto_highmark;
+	tp->high_seq = tp->snd_nxt;
 	TCP_ECN_queue_cwr(tp);
 
 	tcp_clear_retrans_hints_partial(tp);

-- 

[patch 34/47] mmc: wbsd: initialize tasklets before requesting interrupt

[Greg KH]

[-- Attachment #1: mmc-wbsd-initialize-tasklets-before-requesting-interrupt.patch --]
[-- Type: text/plain, Size: 1689 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Chuck Ebbert <cebbert@redhat.com>

commit cef33400d0349fb24b6f8b7dea79b66e3144fd8b upstream

With CONFIG_DEBUG_SHIRQ set we will get an interrupt as soon as we
allocate one.  Tasklets may be scheduled in the interrupt handler but they
will be initialized after the handler returns, causing a BUG() in
kernel/softirq.c when they run.

Should fix this Fedora bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=449817

Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
Acked-by: Pierre Ossman <drzeus@drzeus.cx>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/mmc/host/wbsd.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/drivers/mmc/host/wbsd.c
+++ b/drivers/mmc/host/wbsd.c
@@ -1457,17 +1457,7 @@ static int __devinit wbsd_request_irq(st
 	int ret;
 
 	/*
-	 * Allocate interrupt.
-	 */
-
-	ret = request_irq(irq, wbsd_irq, IRQF_SHARED, DRIVER_NAME, host);
-	if (ret)
-		return ret;
-
-	host->irq = irq;
-
-	/*
-	 * Set up tasklets.
+	 * Set up tasklets. Must be done before requesting interrupt.
 	 */
 	tasklet_init(&host->card_tasklet, wbsd_tasklet_card,
 			(unsigned long)host);
@@ -1480,6 +1470,15 @@ static int __devinit wbsd_request_irq(st
 	tasklet_init(&host->finish_tasklet, wbsd_tasklet_finish,
 			(unsigned long)host);
 
+	/*
+	 * Allocate interrupt.
+	 */
+	ret = request_irq(irq, wbsd_irq, IRQF_SHARED, DRIVER_NAME, host);
+	if (ret)
+		return ret;
+
+	host->irq = irq;
+
 	return 0;
 }
 

-- 

[patch 35/47] cciss: add new hardware support

[Greg KH]

[-- Attachment #1: cciss-add-new-hardware-support.patch --]
[-- Type: text/plain, Size: 3807 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Mike Miller <mike.miller@hp.com>

commit 24aac480e76c6f5d1391ac05c5e9c0eb9b0cd302 upstream
Date: Thu, 12 Jun 2008 15:21:34 -0700
Subject: [patch 35/47] cciss: add new hardware support

Add support for the next generation of HP Smart Array SAS/SATA
controllers.  Shipping date is late Fall 2008.

Bump the driver version to 3.6.20 to reflect the new hardware support from
patch 1 of this set.

Signed-off-by: Mike Miller <mike.miller@hp.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 Documentation/cciss.txt |    5 +++++
 drivers/block/cciss.c   |   21 ++++++++++++++++-----
 include/linux/pci_ids.h |    1 +
 3 files changed, 22 insertions(+), 5 deletions(-)

--- a/Documentation/cciss.txt
+++ b/Documentation/cciss.txt
@@ -21,6 +21,11 @@ This driver is known to work with the fo
 	* SA E200
 	* SA E200i
 	* SA E500
+	* SA P212
+	* SA P410
+	* SA P410i
+	* SA P411
+	* SA P812
 
 Detecting drive failures:
 -------------------------
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -53,15 +53,16 @@
 #include <linux/scatterlist.h>
 
 #define CCISS_DRIVER_VERSION(maj,min,submin) ((maj<<16)|(min<<8)|(submin))
-#define DRIVER_NAME "HP CISS Driver (v 3.6.14)"
-#define DRIVER_VERSION CCISS_DRIVER_VERSION(3,6,14)
+#define DRIVER_NAME "HP CISS Driver (v 3.6.20)"
+#define DRIVER_VERSION CCISS_DRIVER_VERSION(3, 6, 20)
 
 /* Embedded module documentation macros - see modules.h */
 MODULE_AUTHOR("Hewlett-Packard Company");
-MODULE_DESCRIPTION("Driver for HP Controller SA5xxx SA6xxx version 3.6.14");
+MODULE_DESCRIPTION("Driver for HP Smart Array Controllers");
 MODULE_SUPPORTED_DEVICE("HP SA5i SA5i+ SA532 SA5300 SA5312 SA641 SA642 SA6400"
-			" SA6i P600 P800 P400 P400i E200 E200i E500");
-MODULE_VERSION("3.6.14");
+			" SA6i P600 P800 P400 P400i E200 E200i E500 P700m"
+			" Smart Array G2 Series SAS/SATA Controllers");
+MODULE_VERSION("3.6.20");
 MODULE_LICENSE("GPL");
 
 #include "cciss_cmd.h"
@@ -90,6 +91,11 @@ static const struct pci_device_id cciss_
 	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSD,     0x103C, 0x3215},
 	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSC,     0x103C, 0x3237},
 	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSC,     0x103C, 0x323D},
+	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3241},
+	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3243},
+	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3245},
+	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3247},
+	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3249},
 	{PCI_VENDOR_ID_HP,     PCI_ANY_ID,	PCI_ANY_ID, PCI_ANY_ID,
 		PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
 	{0,}
@@ -123,6 +129,11 @@ static struct board_type products[] = {
 	{0x3215103C, "Smart Array E200i", &SA5_access, 120},
 	{0x3237103C, "Smart Array E500", &SA5_access, 512},
 	{0x323D103C, "Smart Array P700m", &SA5_access, 512},
+	{0x3241103C, "Smart Array P212", &SA5_access, 384},
+	{0x3243103C, "Smart Array P410", &SA5_access, 384},
+	{0x3245103C, "Smart Array P410i", &SA5_access, 384},
+	{0x3247103C, "Smart Array P411", &SA5_access, 384},
+	{0x3249103C, "Smart Array P812", &SA5_access, 384},
 	{0xFFFF103C, "Unknown Smart Array", &SA5_access, 120},
 };
 
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -716,6 +716,7 @@
 #define PCI_DEVICE_ID_HP_CISSA		0x3220
 #define PCI_DEVICE_ID_HP_CISSC		0x3230
 #define PCI_DEVICE_ID_HP_CISSD		0x3238
+#define PCI_DEVICE_ID_HP_CISSE		0x323a
 #define PCI_DEVICE_ID_HP_ZX2_IOC	0x4031
 
 #define PCI_VENDOR_ID_PCTECH		0x1042

-- 

[patch 36/47] hgafb: resource management fix

[Greg KH]

[-- Attachment #1: hgafb-resource-management-fix.patch --]
[-- Type: text/plain, Size: 2221 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Krzysztof Helt <krzysztof.h1@wp.pl>

commit 630c270183133ac25bef8c8d726ac448df9b169a upstream
Date: Thu, 12 Jun 2008 15:21:29 -0700
Subject: [patch 36/47] hgafb: resource management fix

Release ports which are requested during detection which are not freed if
there is no hga card.  Otherwise there is a crash during cat /proc/ioports
command.

Signed-off-by: Krzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/video/hgafb.c |   26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

--- a/drivers/video/hgafb.c
+++ b/drivers/video/hgafb.c
@@ -279,7 +279,7 @@ static void hga_blank(int blank_mode)
 
 static int __init hga_card_detect(void)
 {
-	int count=0;
+	int count = 0;
 	void __iomem *p, *q;
 	unsigned short p_save, q_save;
 
@@ -303,20 +303,18 @@ static int __init hga_card_detect(void)
 	writew(0x55aa, p); if (readw(p) == 0x55aa) count++;
 	writew(p_save, p);
 
-	if (count != 2) {
-		return 0;
-	}
+	if (count != 2)
+		goto error;
 
 	/* Ok, there is definitely a card registering at the correct
 	 * memory location, so now we do an I/O port test.
 	 */
 	
-	if (!test_hga_b(0x66, 0x0f)) {	    /* cursor low register */
-		return 0;
-	}
-	if (!test_hga_b(0x99, 0x0f)) {     /* cursor low register */
-		return 0;
-	}
+	if (!test_hga_b(0x66, 0x0f))	    /* cursor low register */
+		goto error;
+
+	if (!test_hga_b(0x99, 0x0f))     /* cursor low register */
+		goto error;
 
 	/* See if the card is a Hercules, by checking whether the vsync
 	 * bit of the status register is changing.  This test lasts for
@@ -331,7 +329,7 @@ static int __init hga_card_detect(void)
 	}
 
 	if (p_save == q_save) 
-		return 0;
+		goto error;
 
 	switch (inb_p(HGA_STATUS_PORT) & 0x70) {
 		case 0x10:
@@ -348,6 +346,12 @@ static int __init hga_card_detect(void)
 			break;
 	}
 	return 1;
+error:
+	if (release_io_ports)
+		release_region(0x3b0, 12);
+	if (release_io_port)
+		release_region(0x3bf, 1);
+	return 0;
 }
 
 /**

-- 

[patch 37/47] forcedeth: msi interrupts

[Greg KH]

[-- Attachment #1: forcedeth-msi-interrupts.patch --]
[-- Type: text/plain, Size: 2147 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ayaz Abdulla <aabdulla@nvidia.com>

commit 4db0ee176e256444695ee2d7b004552e82fec987 upstream

Add a workaround for lost MSI interrupts.  There is a race condition in
the HW in which future interrupts could be missed.  The workaround is to
toggle the MSI irq mask.

Added cleanup based on comments from Andrew Morton.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/forcedeth.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/drivers/net/forcedeth.c
+++ b/drivers/net/forcedeth.c
@@ -3111,6 +3111,20 @@ static void nv_link_irq(struct net_devic
 	dprintk(KERN_DEBUG "%s: link change notification done.\n", dev->name);
 }
 
+static void nv_msi_workaround(struct fe_priv *np)
+{
+
+	/* Need to toggle the msi irq mask within the ethernet device,
+	 * otherwise, future interrupts will not be detected.
+	 */
+	if (np->msi_flags & NV_MSI_ENABLED) {
+		u8 __iomem *base = np->base;
+
+		writel(0, base + NvRegMSIIrqMask);
+		writel(NVREG_MSI_VECTOR_0_ENABLED, base + NvRegMSIIrqMask);
+	}
+}
+
 static irqreturn_t nv_nic_irq(int foo, void *data)
 {
 	struct net_device *dev = (struct net_device *) data;
@@ -3133,6 +3147,8 @@ static irqreturn_t nv_nic_irq(int foo, v
 		if (!(events & np->irqmask))
 			break;
 
+		nv_msi_workaround(np);
+
 		spin_lock(&np->lock);
 		nv_tx_done(dev);
 		spin_unlock(&np->lock);
@@ -3248,6 +3264,8 @@ static irqreturn_t nv_nic_irq_optimized(
 		if (!(events & np->irqmask))
 			break;
 
+		nv_msi_workaround(np);
+
 		spin_lock(&np->lock);
 		nv_tx_done_optimized(dev, TX_WORK_PER_LOOP);
 		spin_unlock(&np->lock);
@@ -3588,6 +3606,8 @@ static irqreturn_t nv_nic_irq_test(int f
 	if (!(events & NVREG_IRQ_TIMER))
 		return IRQ_RETVAL(0);
 
+	nv_msi_workaround(np);
+
 	spin_lock(&np->lock);
 	np->intr_test = 1;
 	spin_unlock(&np->lock);

-- 

[patch 38/47] tcp: Fix inconsistency source (CA_Open only when !tcp_left_out(tp))

[Greg KH]

[-- Attachment #1: tcp-fix-inconsistency-source.patch --]
[-- Type: text/plain, Size: 3347 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>

[ upstream commit: 8aca6cb1179ed9bef9351028c8d8af852903eae2 ]

It is possible that this skip path causes TCP to end up into an
invalid state where ca_state was left to CA_Open while some
segments already came into sacked_out. If next valid ACK doesn't
contain new SACK information TCP fails to enter into
tcp_fastretrans_alert(). Thus at least high_seq is set
incorrectly to a too high seqno because some new data segments
could be sent in between (and also, limited transmit is not
being correctly invoked there). Reordering in both directions
can easily cause this situation to occur.

I guess we would want to use tcp_moderate_cwnd(tp) there as well
as it may be possible to use this to trigger oversized burst to
network by sending an old ACK with huge amount of SACK info, but
I'm a bit unsure about its effects (mainly to FlightSize), so to
be on the safe side I just currently fixed it minimally to keep
TCP's state consistent (obviously, such nasty ACKs have been
possible this far). Though it seems that FlightSize is already
underestimated by some amount, so probably on the long term we
might want to trigger recovery there too, if appropriate, to make
FlightSize calculation to resemble reality at the time when the
losses where discovered (but such change scares me too much now
and requires some more thinking anyway how to do that as it
likely involves some code shuffling).

This bug was found by Brian Vowell while running my TCP debug
patch to find cause of another TCP issue (fackets_out
miscount).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/ipv4/tcp_input.c |   29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2469,6 +2469,20 @@ static inline void tcp_complete_cwr(stru
 	tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);
 }
 
+static void tcp_try_keep_open(struct sock *sk)
+{
+	struct tcp_sock *tp = tcp_sk(sk);
+	int state = TCP_CA_Open;
+
+	if (tcp_left_out(tp) || tp->retrans_out || tp->undo_marker)
+		state = TCP_CA_Disorder;
+
+	if (inet_csk(sk)->icsk_ca_state != state) {
+		tcp_set_ca_state(sk, state);
+		tp->high_seq = tp->snd_nxt;
+	}
+}
+
 static void tcp_try_to_open(struct sock *sk, int flag)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
@@ -2482,15 +2496,7 @@ static void tcp_try_to_open(struct sock 
 		tcp_enter_cwr(sk, 1);
 
 	if (inet_csk(sk)->icsk_ca_state != TCP_CA_CWR) {
-		int state = TCP_CA_Open;
-
-		if (tcp_left_out(tp) || tp->retrans_out || tp->undo_marker)
-			state = TCP_CA_Disorder;
-
-		if (inet_csk(sk)->icsk_ca_state != state) {
-			tcp_set_ca_state(sk, state);
-			tp->high_seq = tp->snd_nxt;
-		}
+		tcp_try_keep_open(sk);
 		tcp_moderate_cwnd(tp);
 	} else {
 		tcp_cwnd_down(sk, flag);
@@ -3296,8 +3302,11 @@ no_queue:
 	return 1;
 
 old_ack:
-	if (TCP_SKB_CB(skb)->sacked)
+	if (TCP_SKB_CB(skb)->sacked) {
 		tcp_sacktag_write_queue(sk, skb, prior_snd_una);
+		if (icsk->icsk_ca_state == TCP_CA_Open)
+			tcp_try_keep_open(sk);
+	}
 
 uninteresting_ack:
 	SOCK_DEBUG(sk, "Ack %u out of %u:%u\n", ack, tp->snd_una, tp->snd_nxt);

-- 

[patch 39/47] IB/umem: Avoid sign problems when demoting npages to integer

[Greg KH]

[-- Attachment #1: ib-umem-avoid-sign-problems-when-demoting-npages-to-integer.patch --]
[-- Type: text/plain, Size: 1898 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Roland Dreier <rolandd@cisco.com>

commit 8079ffa0e18baaf2940e52e0c118eef420a473a4 upstream

On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely

	min_t(int, npages, PAGE_SIZE / sizeof (struct page *))

will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
since the code boils down to:

	while (npages) {
		ret = get_user_pages(...);
		npages -= ret;
	}

Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.

The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief.  But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/infiniband/core/umem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -144,7 +144,7 @@ struct ib_umem *ib_umem_get(struct ib_uc
 	ret = 0;
 	while (npages) {
 		ret = get_user_pages(current, current->mm, cur_base,
-				     min_t(int, npages,
+				     min_t(unsigned long, npages,
 					   PAGE_SIZE / sizeof (struct page *)),
 				     1, !umem->writable, page_list, vma_list);
 

-- 

[patch 40/47] m68k: Add ext2_find_{first,next}_bit() for ext4

[Greg KH]

[-- Attachment #1: m68k-add-ext2_find_-first-next-_bit-for-ext4.patch --]
[-- Type: text/plain, Size: 2244 bytes --]


-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

commit 69c5ddf58a03da3686691ad2f293bc79fd977c10 upstream

Add ext2_find_{first,next}_bit(), which are needed for ext4.
They're derived out of the ext2_find_next_zero_bit found in the same file.
Compile tested with crosstools

[Reworked to preserve all symmetry with ext2_find_{first,next}_zero_bit()]

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=10393

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 include/asm-m68k/bitops.h |   46 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

--- a/include/asm-m68k/bitops.h
+++ b/include/asm-m68k/bitops.h
@@ -410,8 +410,50 @@ static inline int ext2_find_next_zero_bi
 	res = ext2_find_first_zero_bit (p, size - 32 * (p - addr));
 	return (p - addr) * 32 + res;
 }
-#define ext2_find_next_bit(addr, size, off) \
-	generic_find_next_le_bit((unsigned long *)(addr), (size), (off))
+
+static inline int ext2_find_first_bit(const void *vaddr, unsigned size)
+{
+	const unsigned long *p = vaddr, *addr = vaddr;
+	int res;
+
+	if (!size)
+		return 0;
+
+	size = (size >> 5) + ((size & 31) > 0);
+	while (*p++ == 0UL)
+	{
+		if (--size == 0)
+			return (p - addr) << 5;
+	}
+
+	--p;
+	for (res = 0; res < 32; res++)
+		if (ext2_test_bit(res, p))
+			break;
+	return (p - addr) * 32 + res;
+}
+
+static inline int ext2_find_next_bit(const void *vaddr, unsigned size,
+				     unsigned offset)
+{
+	const unsigned long *addr = vaddr;
+	const unsigned long *p = addr + (offset >> 5);
+	int bit = offset & 31UL, res;
+
+	if (offset >= size)
+		return size;
+
+	if (bit) {
+		/* Look for one in first longword */
+		for (res = bit; res < 32; res++)
+			if (ext2_test_bit(res, p))
+				return (p - addr) * 32 + res;
+		p++;
+	}
+	/* No set bit yet, search remaining full bytes for a set bit */
+	res = ext2_find_first_bit(p, size - 32 * (p - addr));
+	return (p - addr) * 32 + res;
+}
 
 #endif /* __KERNEL__ */
 

-- 

[patch 41/47] cifs: fix oops on mount when CONFIG_CIFS_DFS_UPCALL is enabled

[Greg KH]

[-- Attachment #1: cifs-fix-oops-on-mount-when-config_cifs_dfs_upcall-is-enabled.patch --]
[-- Type: text/plain, Size: 1730 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Marcin Slusarz <marcin.slusarz@gmail.com>

simple "mount -t cifs //xxx /mnt" oopsed on strlen of options
http://kerneloops.org/guilty.php?guilty=cifs_get_sb&version=2.6.25-release&start=16711 \
68&end=1703935&class=oops

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/cifs/cifsfs.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -97,9 +97,6 @@ cifs_read_super(struct super_block *sb, 
 {
 	struct inode *inode;
 	struct cifs_sb_info *cifs_sb;
-#ifdef CONFIG_CIFS_DFS_UPCALL
-	int len;
-#endif
 	int rc = 0;
 
 	/* BB should we make this contingent on mount parm? */
@@ -117,15 +114,17 @@ cifs_read_super(struct super_block *sb, 
 	 * complex operation (mount), and in case of fail
 	 * just exit instead of doing mount and attempting
 	 * undo it if this copy fails?*/
-	len = strlen(data);
-	cifs_sb->mountdata = kzalloc(len + 1, GFP_KERNEL);
-	if (cifs_sb->mountdata == NULL) {
-		kfree(sb->s_fs_info);
-		sb->s_fs_info = NULL;
-		return -ENOMEM;
+	if (data) {
+		int len = strlen(data);
+		cifs_sb->mountdata = kzalloc(len + 1, GFP_KERNEL);
+		if (cifs_sb->mountdata == NULL) {
+			kfree(sb->s_fs_info);
+			sb->s_fs_info = NULL;
+			return -ENOMEM;
+		}
+		strncpy(cifs_sb->mountdata, data, len + 1);
+		cifs_sb->mountdata[len] = '\0';
 	}
-	strncpy(cifs_sb->mountdata, data, len + 1);
-	cifs_sb->mountdata[len] = '\0';
 #endif
 
 	rc = cifs_mount(sb, cifs_sb, data, devname);

-- 

[patch 42/47] CPUFREQ: Fix format string bug.

[Greg KH]

[-- Attachment #1: cpufreq-fix-format-string-bug.patch --]
[-- Type: text/plain, Size: 896 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Chris Wright <chrisw@sous-sol.org>

commit 326f6a5c9c9e1a62aec37bdc0c3f8d53adabe77b upstream

Format string bug.  Not exploitable, as this is only writable by root,
but worth fixing all the same.

From: Chris Wright <chrisw@sous-sol.org>
Spotted-by: Ilja van Sprundel <ilja@netric.org>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/cpufreq/cpufreq.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -410,7 +410,7 @@ static int cpufreq_parse_governor (char 
 				int ret;
 
 				mutex_unlock(&cpufreq_governor_mutex);
-				ret = request_module(name);
+				ret = request_module("%s", name);
 				mutex_lock(&cpufreq_governor_mutex);
 
 				if (ret == 0)

-- 

[patch 43/47] serial: fix enable_irq_wake/disable_irq_wake imbalance in serial_core.c

[Greg KH]

[-- Attachment #1: serial-fix-enable_irq_wake-disable_irq_wake-imbalance-in-serial_core.c.patch --]
[-- Type: text/plain, Size: 1608 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Arjan van de Ven <arjan@linux.intel.com>

commit 03a74dcc7eebe6edd778317e82fafdf71e68488c in mainline.

enable_irq_wake() and disable_irq_wake() need to be balanced.  However,
serial_core.c calls these for different conditions during the suspend and
resume functions...

This is causing a regular WARN_ON() as found at
http://www.kerneloops.org/search.php?search=set_irq_wake

This patch makes the conditions for triggering the _wake enable/disable
sequence identical.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/serial/serial_core.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/serial/serial_core.c
+++ b/drivers/serial/serial_core.c
@@ -2022,6 +2022,8 @@ int uart_suspend_port(struct uart_driver
 int uart_resume_port(struct uart_driver *drv, struct uart_port *port)
 {
 	struct uart_state *state = drv->state + port->line;
+	struct device *tty_dev;
+	struct uart_match match = {port, drv};
 
 	mutex_lock(&state->mutex);
 
@@ -2031,7 +2033,8 @@ int uart_resume_port(struct uart_driver 
 		return 0;
 	}
 
-	if (!port->suspended) {
+	tty_dev = device_find_child(port->dev, &match, serial_match_port);
+	if (!port->suspended && device_may_wakeup(tty_dev)) {
 		disable_irq_wake(port->irq);
 		mutex_unlock(&state->mutex);
 		return 0;

-- 

[patch 44/47] Kconfig: introduce ARCH_DEFCONFIG to DEFCONFIG_LIST

[Greg KH]

[-- Attachment #1: kconfig-introduce-arch_defconfig-to-defconfig_list.patch --]
[-- Type: text/plain, Size: 1789 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Sam Ravnborg <sam@ravnborg.org>

commit 73531905ed53576d9e8707659a761e7046a60497 in mainline.

init/Kconfig contains a list of configs that are searched
for if 'make *config' are used with no .config present.
Extend this list to look at the config identified by
ARCH_DEFCONFIG.

With this change we now try the defconfig targets last.

This fixes a regression reported
by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 arch/x86/Kconfig |   13 +++----------
 init/Kconfig     |    1 +
 2 files changed, 4 insertions(+), 10 deletions(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -24,17 +24,10 @@ config X86
 	select HAVE_KRETPROBES
 	select HAVE_KVM if ((X86_32 && !X86_VOYAGER && !X86_VISWS && !X86_NUMAQ) || X86_64)
 
-config DEFCONFIG_LIST
+config ARCH_DEFCONFIG
 	string
-	depends on X86_32
-	option defconfig_list
-	default "arch/x86/configs/i386_defconfig"
-
-config DEFCONFIG_LIST
-	string
-	depends on X86_64
-	option defconfig_list
-	default "arch/x86/configs/x86_64_defconfig"
+	default "arch/x86/configs/i386_defconfig" if X86_32
+	default "arch/x86/configs/x86_64_defconfig" if X86_64
 
 
 config GENERIC_LOCKBREAK
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -13,6 +13,7 @@ config DEFCONFIG_LIST
 	default "/lib/modules/$UNAME_RELEASE/.config"
 	default "/etc/kernel-config"
 	default "/boot/config-$UNAME_RELEASE"
+	default "$ARCH_DEFCONFIG"
 	default "arch/$ARCH/defconfig"
 
 menu "General setup"

-- 

[patch 45/47] bttv: Fix a deadlock in the bttv driver

[Greg KH]

[-- Attachment #1: bttv-fix-a-deadlock-in-the-bttv-driver.patch --]
[-- Type: text/plain, Size: 2841 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Arjan van de Ven <arjan@linux.intel.com>

commit 81b2dbcad86732ffc02bad87aa25c4651199fc77 in mainline.

vidiocgmbuf() does this:
        mutex_lock(&fh->cap.vb_lock);
        retval = videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
                                     V4L2_MEMORY_MMAP);

and videobuf_mmap_setup() then just does
        mutex_lock(&q->vb_lock);
        ret = __videobuf_mmap_setup(q, bcount, bsize, memory);
        mutex_unlock(&q->vb_lock);

which is an obvious double-take deadlock.

This patch fixes this by having vidiocgmbuf() just call the
__videobuf_mmap_setup function instead.

Acked-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Reported-by: Koos Vriezen <koos.vriezen@gmail.com>
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/media/video/bt8xx/bttv-driver.c |    2 +-
 drivers/media/video/videobuf-core.c     |    3 ++-
 include/media/videobuf-core.h           |    3 +++
 3 files changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/media/video/bt8xx/bttv-driver.c
+++ b/drivers/media/video/bt8xx/bttv-driver.c
@@ -2613,7 +2613,7 @@ static int vidiocgmbuf(struct file *file
 	struct bttv_fh *fh = priv;
 
 	mutex_lock(&fh->cap.vb_lock);
-	retval = videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
+	retval = __videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
 				     V4L2_MEMORY_MMAP);
 	if (retval < 0) {
 		mutex_unlock(&fh->cap.vb_lock);
--- a/drivers/media/video/videobuf-core.c
+++ b/drivers/media/video/videobuf-core.c
@@ -335,7 +335,7 @@ int videobuf_mmap_free(struct videobuf_q
 }
 
 /* Locking: Caller holds q->vb_lock */
-static int __videobuf_mmap_setup(struct videobuf_queue *q,
+int __videobuf_mmap_setup(struct videobuf_queue *q,
 			unsigned int bcount, unsigned int bsize,
 			enum v4l2_memory memory)
 {
@@ -1093,6 +1093,7 @@ EXPORT_SYMBOL_GPL(videobuf_read_stream);
 EXPORT_SYMBOL_GPL(videobuf_read_one);
 EXPORT_SYMBOL_GPL(videobuf_poll_stream);
 
+EXPORT_SYMBOL_GPL(__videobuf_mmap_setup);
 EXPORT_SYMBOL_GPL(videobuf_mmap_setup);
 EXPORT_SYMBOL_GPL(videobuf_mmap_free);
 EXPORT_SYMBOL_GPL(videobuf_mmap_mapper);
--- a/include/media/videobuf-core.h
+++ b/include/media/videobuf-core.h
@@ -227,6 +227,9 @@ unsigned int videobuf_poll_stream(struct
 int videobuf_mmap_setup(struct videobuf_queue *q,
 			unsigned int bcount, unsigned int bsize,
 			enum v4l2_memory memory);
+int __videobuf_mmap_setup(struct videobuf_queue *q,
+			unsigned int bcount, unsigned int bsize,
+			enum v4l2_memory memory);
 int videobuf_mmap_free(struct videobuf_queue *q);
 int videobuf_mmap_mapper(struct videobuf_queue *q,
 			 struct vm_area_struct *vma);

-- 

[patch 46/47] x86: fix recursive dependencies

[Greg KH]

[-- Attachment #1: x86-fix-recursive-dependencies.patch --]
[-- Type: text/plain, Size: 1840 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Roman Zippel <zippel@linux-m68k.org>

commit 823c248e7cc75b4f22da914b01f8e5433cff197e in mainline

The proper dependency check uncovered a few dependency problems,
the subarchitecture used a mixture of selects and depends on SMP
and PCI dependency was messed up.

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Ravikiran Thirumalai <kiran@scalex86.org>

---
 arch/x86/Kconfig |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -246,8 +246,7 @@ config X86_ELAN
 
 config X86_VOYAGER
 	bool "Voyager (NCR)"
-	depends on X86_32
-	select SMP if !BROKEN
+	depends on X86_32 && (SMP || BROKEN)
 	help
 	  Voyager is an MCA-based 32-way capable SMP architecture proprietary
 	  to NCR Corp.  Machine classes 345x/35xx/4100/51xx are Voyager-based.
@@ -259,9 +258,8 @@ config X86_VOYAGER
 
 config X86_NUMAQ
 	bool "NUMAQ (IBM/Sequent)"
-	select SMP
+	depends on SMP && X86_32
 	select NUMA
-	depends on X86_32
 	help
 	  This option is used for getting Linux to run on a (IBM/Sequent) NUMA
 	  multiquad box. This changes the way that processors are bootstrapped,
@@ -332,7 +330,7 @@ config X86_RDC321X
 
 config X86_VSMP
 	bool "Support for ScaleMP vSMP"
-	depends on X86_64 && PCI
+	depends on X86_64
 	 help
 	  Support for ScaleMP vSMP systems.  Say 'Y' here if this kernel is
 	  supposed to run on these EM64T-based machines.  Only choose this option
@@ -1384,7 +1382,7 @@ endmenu
 menu "Bus options (PCI etc.)"
 
 config PCI
-	bool "PCI support" if !X86_VISWS
+	bool "PCI support" if !X86_VISWS && !X86_VSMP
 	depends on !X86_VOYAGER
 	default y
 	select ARCH_SUPPORTS_MSI if (X86_LOCAL_APIC && X86_IO_APIC)

-- 

[patch 47/47] mac80211: send association event on IBSS create

[Greg KH]

[-- Attachment #1: mac80211-send-association-event-on-ibss-create.patch --]
[-- Type: text/plain, Size: 1090 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Dan Williams <dcbw@redhat.com>

patch 507b06d0622480f8026d49a94f86068bb0fd6ed6 upstream

Otherwise userspace has no idea the IBSS creation succeeded.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/mac80211/ieee80211_sta.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -2723,6 +2723,7 @@ static int ieee80211_sta_join_ibss(struc
 	struct rate_selection ratesel;
 	u8 *pos;
 	struct ieee80211_sub_if_data *sdata;
+	union iwreq_data wrqu;
 
 	/* Remove possible STA entries from other IBSS networks. */
 	sta_info_flush(local, NULL);
@@ -2863,6 +2864,10 @@ static int ieee80211_sta_join_ibss(struc
 
 	ieee80211_rx_bss_put(dev, bss);
 
+	memset(&wrqu, 0, sizeof(wrqu));
+	memcpy(wrqu.ap_addr.sa_data, bss->bssid, ETH_ALEN);
+	wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
+
 	return res;
 }
 

-- 

Re: [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[Dave Young]

On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <gregkh@suse.de> wrote:
> -stable review patch.  If anyone has any objections, please let us know.
>
> ------------------
> From: Arjan van de Ven <arjan@linux.intel.com>
>
> [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

Hi greg
Please including following commit as well because it will cause another bug:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b

>
> in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
> following operation:
>
>        if (parent && sock_flag(sk, SOCK_ZAPPED)) {
>                /* We have to drop DLC lock here, otherwise
>                 * rfcomm_sock_destruct() will dead lock. */
>                rfcomm_dlc_unlock(d);
>                rfcomm_sock_kill(sk);
>                rfcomm_dlc_lock(d);
>        }
> }
>
> which is fine, since rfcomm_sock_kill() will call sk_free() which will call
> rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.
>
> HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
> called with the rfcomm_dlc_lock() taken. This is the case for all but one
> case, and in that case where we don't have the lock, we do a double unlock
> followed by an attempt to take the lock, which due to underflow isn't
> going anywhere fast.
>
> This patch fixes this by moving the stragling case inside the lock, like
> the other usages of the same call are doing in this code.
>
> This was found with the help of the www.kerneloops.org project, where this
> deadlock was observed 51 times at this point in time:
> http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct
>
> Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
> Acked-by: Marcel Holtmann <marcel@holtmann.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> ---
>  net/bluetooth/rfcomm/core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
>
>                rfcomm_dlc_lock(d);
>                d->state = BT_CLOSED;
> -               rfcomm_dlc_unlock(d);
>                d->state_change(d, err);
> +               rfcomm_dlc_unlock(d);
>
>                skb_queue_purge(&d->tx_queue);
>                rfcomm_dlc_unlink(d);
>
> --
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>



-- 
Regards
dave

Re: [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[David Miller]

From: "Dave Young" <hidave.darkstar@gmail.com>
Date: Sat, 14 Jun 2008 10:50:51 +0800

> On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <gregkh@suse.de> wrote:
> > -stable review patch.  If anyone has any objections, please let us know.
> >
> > ------------------
> > From: Arjan van de Ven <arjan@linux.intel.com>
> >
> > [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
> 
> Hi greg
> Please including following commit as well because it will cause another bug:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b

Acked-by: David S. Miller <davem@davemloft.net>

Re: [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[Marcel Holtmann]

Hi Dave,

> > Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
> > Acked-by: Marcel Holtmann <marcel@holtmann.org>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> > ---
> >  net/bluetooth/rfcomm/core.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/net/bluetooth/rfcomm/core.c
> > +++ b/net/bluetooth/rfcomm/core.c
> > @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
> >
> >                rfcomm_dlc_lock(d);
> >                d->state = BT_CLOSED;
> > -               rfcomm_dlc_unlock(d);
> >                d->state_change(d, err);
> > +               rfcomm_dlc_unlock(d);
> >
> >                skb_queue_purge(&d->tx_queue);
> >                rfcomm_dlc_unlink(d);

did we screw up the tabs during the review process here.

Regards

Marcel

Re: [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[Dave Young]

On Sat, Jun 14, 2008 at 8:26 PM, Marcel Holtmann <marcel@holtmann.org> wrote:
> Hi Dave,
>
>> > Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
>> > Acked-by: Marcel Holtmann <marcel@holtmann.org>
>> > Signed-off-by: David S. Miller <davem@davemloft.net>
>> > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
>> > ---
>> >  net/bluetooth/rfcomm/core.c |    2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > --- a/net/bluetooth/rfcomm/core.c
>> > +++ b/net/bluetooth/rfcomm/core.c
>> > @@ -423,8 +423,8 @@ static int __rfcomm_dlc_close(struct rfc
>> >
>> >                rfcomm_dlc_lock(d);
>> >                d->state = BT_CLOSED;
>> > -               rfcomm_dlc_unlock(d);
>> >                d->state_change(d, err);
>> > +               rfcomm_dlc_unlock(d);
>> >
>> >                skb_queue_purge(&d->tx_queue);
>> >                rfcomm_dlc_unlink(d);
>
> did we screw up the tabs during the review process here.

Yes, it's due to my use of gmail web interface.
But please don't worry. I usually post patches by mutt, and reply by
gmail web client to easily quote the original message.

Re: [stable] [patch 16/47] bluetooth: fix locking bug in the rfcomm socket cleanup handling

[Greg KH]

On Fri, Jun 13, 2008 at 08:46:28PM -0700, David Miller wrote:
> From: "Dave Young" <hidave.darkstar@gmail.com>
> Date: Sat, 14 Jun 2008 10:50:51 +0800
> 
> > On Sat, Jun 14, 2008 at 8:10 AM, Greg KH <gregkh@suse.de> wrote:
> > > -stable review patch.  If anyone has any objections, please let us know.
> > >
> > > ------------------
> > > From: Arjan van de Ven <arjan@linux.intel.com>
> > >
> > > [ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]
> > 
> > Hi greg
> > Please including following commit as well because it will cause another bug:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=537d59af73d894750cff14f90fe2b6d77fbab15b
> 
> Acked-by: David S. Miller <davem@davemloft.net>

Thanks, I'll go add it to the tree for this release.

greg k-h

[patch 00/47] 2.6.25-stable review

[Greg KH]

This is the start of the stable review cycle for the 2.6.25.12 release.
There are 47 patches in this series, all will be posted as a response to
this one.  If anyone has any issues with these being applied, please let
us know.  If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
to add your name to the list.  If you want to be off the reviewer list,
also email us.

Responses should be made by July 24, 22:00:00 UTC.  Anything received
after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.12-rc1.gz
and the diffstat can be found below.


thanks,

the -stable release team

-----

 Makefile                                    |    2 
 arch/powerpc/kernel/of_platform.c           |    2 
 block/as-iosched.c                          |    2 
 crypto/chainiv.c                            |   10 +++-
 drivers/base/node.c                         |    4 -
 drivers/block/cciss.c                       |   66 +++++++++++++++-------------
 drivers/char/pcmcia/ipwireless/hardware.c   |    4 +
 drivers/char/rtc.c                          |    3 -
 drivers/char/tpm/tpm_tis.c                  |    1 
 drivers/hwmon/hdaps.c                       |    8 +++
 drivers/isdn/i4l/isdn_common.c              |    4 +
 drivers/md/md.c                             |    6 +-
 drivers/md/raid10.c                         |    2 
 drivers/md/raid5.c                          |   14 ++---
 drivers/media/dvb/dvb-usb/dib0700_devices.c |    7 ++
 drivers/media/dvb/dvb-usb/dvb-usb-ids.h     |    3 -
 drivers/media/video/ov7670.c                |    4 +
 drivers/message/fusion/mptspi.c             |    9 ++-
 drivers/mmc/host/pxamci.c                   |   13 +++++
 drivers/mmc/host/sdhci.c                    |    6 +-
 drivers/net/3c59x.c                         |    5 +-
 drivers/net/wireless/b43/leds.c             |    3 +
 drivers/net/wireless/b43/main.c             |    9 ++-
 drivers/net/wireless/b43legacy/dma.c        |    2 
 drivers/net/wireless/b43legacy/main.c       |    6 +-
 drivers/net/wireless/zd1211rw/zd_usb.c      |    1 
 drivers/rapidio/rio-driver.c                |    2 
 drivers/scsi/esp_scsi.c                     |   22 ++++++++-
 drivers/scsi/ses.c                          |    2 
 drivers/serial/8250.c                       |    3 +
 drivers/serial/serial_core.c                |    4 +
 drivers/usb/core/hcd.c                      |   38 +++++++++++-----
 drivers/usb/host/ehci.h                     |   19 ++++----
 drivers/usb/host/ohci-hcd.c                 |   15 +++++-
 drivers/usb/host/ohci-q.c                   |   12 +++++
 drivers/usb/misc/sisusbvga/sisusb.c         |    2 
 drivers/video/fb_defio.c                    |   20 ++++++++
 fs/buffer.c                                 |   13 +++--
 fs/cifs/cifsacl.c                           |   10 ++--
 fs/exec.c                                   |    2 
 fs/reiserfs/inode.c                         |    2 
 include/linux/fs.h                          |    1 
 kernel/hrtimer.c                            |    8 +++
 lib/ts_bm.c                                 |    2 
 mm/slub.c                                   |    4 +
 net/can/af_can.c                            |   10 ++++
 net/can/bcm.c                               |   23 ++++++++-
 net/can/raw.c                               |    3 +
 net/mac80211/tx.c                           |    9 +++
 net/netfilter/nf_conntrack_proto_tcp.c      |   13 ++---
 50 files changed, 323 insertions(+), 112 deletions(-)

Re: [patch 00/47] 2.6.25-stable review

[Michael Krufky]

Greg KH wrote:
> This is the start of the stable review cycle for the 2.6.25.12 release.
> There are 47 patches in this series, all will be posted as a response to
> this one.  If anyone has any issues with these being applied, please let
> us know.  If anyone is a maintainer of the proper subsystem, and wants
> to add a Signed-off-by: line to the patch, please respond with it.
>
> These patches are sent out with a number of different people on the
> Cc: line.  If you wish to be a reviewer, please email stable@kernel.org
> to add your name to the list.  If you want to be off the reviewer list,
> also email us.
>
> Responses should be made by July 24, 22:00:00 UTC.  Anything received
> after that time might be too late.
>   
Greg,

Would it be possible to add the seven patches that I sent two days ago? 
It is very important that patch #1 gets into the first dot release, to
avoid confusion with cx18 firmware revisions.  Thanks.

These were sent to stable at kernel dot org:

[2.6.26.y PATCH 1/7] V4L: cx18: Upgrade to newer firmware & update
documentation
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007427.html

[2.6.26.y PATCH 2/7] DVB: dib0700: add support for Hauppauge Nova-TD
Stick 52009
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007429.html

[2.6.26.y PATCH 3/7] V4L: uvcvideo: Fix a buffer overflow in format
descriptor parsing
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007428.html

[2.6.26.y PATCH 4/7] V4L: uvcvideo: Use GFP_NOIO when allocating memory
during resume
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007430.html

[2.6.26.y PATCH 5/7] V4L: uvcvideo: Don't free URB buffers on suspend
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007431.html

[2.6.26.y PATCH 6/7] V4L: uvcvideo: Make input device support optional 
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007432.html

[2.6.26.y PATCH 7/7] V4L: uvcvideo: Add support for Medion Akoya Mini
E1210 integrated webcam
http://linuxtv.org/pipermail/v4l-dvb-maintainer/2008-July/007433.html

Regards,

Mike Krufky

Re: [patch 00/47] 2.6.25-stable review

[Michael Krufky]

Michael Krufky wrote:
> Greg KH wrote:
>   
>> This is the start of the stable review cycle for the 2.6.25.12 release.
> Would it be possible to add the seven patches that I sent two days ago? 
> It is very important that patch #1 gets into the first dot release, to
> avoid confusion with cx18 firmware revisions.  Thanks.

Please disregard that email -- I mistakenly thought this was a 2.6.26.1
review cycle -- my mistake!

I'm sorry for the noise.

-Mike