Permalink
Commits on Nov 26, 2007
  1. @gregkh

    Linux 2.6.23.9

    gregkh committed Nov 26, 2007
  2. @dcbw @gregkh

    ipw2200: batch non-user-requested scan result notifications

    patch 0b53167 in mainline.
    
    ipw2200 makes extensive use of background scanning when unassociated or
    down.  Unfortunately, the firmware sends scan completed events many
    times per second, which the driver pushes directly up to userspace.
    This needlessly wakes up processes listening for wireless events many
    times per second.  Batch together scan completed events for
    non-user-requested scans and send them up to userspace every 4 seconds.
    Scan completed events resulting from an SIOCSIWSCAN call are pushed up
    without delay.
    
    Signed-off-by: Dan Williams <dcbw@redhat.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dcbw committed with gregkh Oct 9, 2007
  3. @oglueck @gregkh

    USB: Nikon D40X unusual_devs entry

    patch d466a91 in mainline.
    
    Not surprisingly the Nikon D40X DSC needs the same quirks as the D40,
    but it has a separate ID.
    See http://bugs.gentoo.org/show_bug.cgi?id=191431
    
    From: Ortwin Glück <odi@odi.ch>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    oglueck committed with gregkh Oct 11, 2007
  4. @jaymzh @gregkh

    USB: unusual_devs modification for Nikon D200

    patch 16eb345 in mainline.
    
    Upgrade the unusual_devs.h file to support the Nikon D200
    
    Signed-off-by: Mike Pagano <mpagano-kernel@mpagano.com>
    Signed-off-by: Phil Dibowitz <phil@ipom.com>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jaymzh committed with gregkh Sep 23, 2007
  5. @gregkh

    softlockup: use cpu_clock() instead of sched_clock()

    patch a3b13c2 in mainline.
    
    sched_clock() is not a reliable time-source, use cpu_clock() instead.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ingo Molnar committed with gregkh Oct 17, 2007
  6. @gregkh

    softlockup watchdog fixes and cleanups

    This is a merge of commits a5f2ce3 and
    43581a1 in mainline to fix a warning in
    the 2.6.23.3 kernel release.
    
    softlockup watchdog: style cleanups
    
    kernel/softirq.c grew a few style uncleanlinesses in the past few
    months, clean that up. No functional changes:
    
    text    data     bss     dec     hex filename
    1126      76       4    1206     4b6 softlockup.o.before
    1129      76       4    1209     4b9 softlockup.o.after
    
    ( the 3 bytes .text increase is due to the "<1>" appended to one of
    the printk messages. )
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    
    softlockup: improve debug output
    
    Improve the debuggability of kernel lockups by enhancing the debug
    output of the softlockup detector: print the task that causes the lockup
    and try to print a more intelligent backtrace.
    
    The old format was:
    
    BUG: soft lockup detected on CPU#1!
    [<c0105e4a>] show_trace_log_lvl+0x19/0x2e
    [<c0105f43>] show_trace+0x12/0x14
    [<c0105f59>] dump_stack+0x14/0x16
    [<c015f6bc>] softlockup_tick+0xbe/0xd0
    [<c013457d>] run_local_timers+0x12/0x14
    [<c01346b8>] update_process_times+0x3e/0x63
    [<c0145fb8>] tick_sched_timer+0x7c/0xc0
    [<c0140a75>] hrtimer_interrupt+0x135/0x1ba
    [<c011bde7>] smp_apic_timer_interrupt+0x6e/0x80
    [<c0105aa3>] apic_timer_interrupt+0x33/0x38
    [<c0104f8a>] syscall_call+0x7/0xb
    =======================
    
    The new format is:
    
    BUG: soft lockup detected on CPU#1! [prctl:2363]
    
    Pid: 2363, comm:                prctl
    EIP: 0060:[<c013915f>] CPU: 1
    EIP is at sys_prctl+0x24/0x18c
    EFLAGS: 00000213    Not tainted  (2.6.22-cfs-v20 #26)
    EAX: 00000001 EBX: 000003e7 ECX: 00000001 EDX: f6df0000
    ESI: 000003e7 EDI: 000003e7 EBP: f6df0fb0 DS: 007b ES: 007b FS: 00d8
    CR0: 8005003b CR2: 4d8c3340 CR3: 3731d000 CR4: 000006d0
    [<c0105e4a>] show_trace_log_lvl+0x19/0x2e
    [<c0105f43>] show_trace+0x12/0x14
    [<c01040be>] show_regs+0x1ab/0x1b3
    [<c015f807>] softlockup_tick+0xef/0x108
    [<c013457d>] run_local_timers+0x12/0x14
    [<c01346b8>] update_process_times+0x3e/0x63
    [<c0145fcc>] tick_sched_timer+0x7c/0xc0
    [<c0140a89>] hrtimer_interrupt+0x135/0x1ba
    [<c011bde7>] smp_apic_timer_interrupt+0x6e/0x80
    [<c0105aa3>] apic_timer_interrupt+0x33/0x38
    [<c0104f8a>] syscall_call+0x7/0xb
    =======================
    
    Note that in the old format we only knew that some system call locked
    up, we didnt know _which_. With the new format we know that it's at a
    specific place in sys_prctl(). [which was where i created an artificial
    kernel lockup to test the new format.]
    
    This is also useful if the lockup happens in user-space - the user-space
    EIP (and other registers) will be printed too. (such a lockup would
    either suggest that the task was running at SCHED_FIFO:99 and looping
    for more than 10 seconds, or that the softlockup detector has a
    false-positive.)
    
    The task name is printed too first, just in case we dont manage to print
    a useful backtrace.
    
    [satyam@infradead.org: fix warning]
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Satyam Sharma <satyam@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ingo Molnar committed with gregkh Nov 18, 2007
  7. @dpreed @gregkh

    x86: fix freeze in x86_64 RTC update code in time_64.c

    patch c399da0 in mainline.
    
    x86: fix freeze in x86_64 RTC update code in time_64.c
    
    Fix hard freeze on x86_64 when the ntpd service calls
    update_persistent_clock()
    
    A repeatable but randomly timed freeze has been happening in Fedora 6
    and 7 for the last year, whenever I run the ntpd service on my AMD64x2
    HP Pavilion dv9000z laptop.  This freeze is due to the use of
    spin_lock(&rtc_lock) under the assumption (per a bad comment) that
    set_rtc_mmss is called only with interrupts disabled.  The call from
    ntp.c to update_persistent_clock is made with interrupts enabled.
    
    [ tglx@linutronix.de: ported to 2.6.23.stable ]
    
    Signed-off-by: David P. Reed <dpreed@reed.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dpreed committed with gregkh Nov 14, 2007
  8. @dpreed @gregkh

    ntp: fix typo that makes sync_cmos_clock erratic

    patch fa6a1a5 in mainline.
    
    ntp: fix typo that makes sync_cmos_clock erratic
    
    Fix a typo in ntp.c that has caused updating of the persistent (RTC)
    clock when synced to NTP to behave erratically.
    
    When debugging a freeze that arises on my AMD64 machines when I
    run the ntpd service, I added a number of printk's to monitor the
    sync_cmos_clock procedure.  I discovered that it was not syncing to
    cmos RTC every 11 minutes as documented, but instead would keep trying
    every second for hours at a time.  The reason turned out to be a typo
    in sync_cmos_clock, where it attempts to ensure that
    update_persistent_clock is called very close to 500 msec. after a 1
    second boundary (required by the PC RTC's spec). That typo referred to
    "xtime" in one spot, rather than "now", which is derived from "xtime"
    but not equal to it.  This makes the test erratic, creating a
    "coin-flip" that decides when update_persistent_clock is called - when
    it is called, which is rarely, it may be at any time during the one
    second period, rather than close to 500 msec, so the value written is
    needlessly incorrect, too.
    
    Signed-off-by: David P. Reed <dpreed@reed.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dpreed committed with gregkh Nov 14, 2007
  9. @gregkh

    x86: return correct error code from child_rip in x86_64 entry.S

    patch 1c5b5cf in mainline.
    
    x86: return correct error code from child_rip in x86_64 entry.S
    
    Right now register edi is just cleared before calling do_exit.
    That is wrong because correct return value will be ignored.
    Value from rax should be copied to rdi instead of clearing edi.
    
    AK: changed to 32bit move because it's strictly an int
    
    [ tglx: arch/x86 adaptation ]
    
    Signed-off-by: Andrey Mirkin <major@openvz.org>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrey Mirkin committed with gregkh Oct 17, 2007
  10. @gregkh

    x86: NX bit handling in change_page_attr()

    patch 84e0fdb in mainline.
    
    x86: NX bit handling in change_page_attr()
    
    This patch fixes a bug of change_page_attr/change_page_attr_addr on
    Intel x86_64 CPUs.  After changing page attribute to be executable with
    these functions, the page remains un-executable on Intel x86_64 CPU.
    Because on Intel x86_64 CPU, only if the "NX" bits of all four level
    page tables are cleared, the corresponding page is executable (refer to
    section 4.13.2 of Intel 64 and IA-32 Architectures Software Developer's
    Manual).  So, the bug is fixed through clearing the "NX" bit of PMD when
    splitting the huge PMD.
    
    Signed-off-by: Huang Ying <ying.huang@intel.com>
    Cc: Andi Kleen <ak@suse.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Huang, Ying committed with gregkh Oct 17, 2007
  11. @gregkh

    x86: mark read_crX() asm code as volatile

    patch c1217a7 in mainline.
    
    x86: mark read_crX() asm code as volatile
    
    Some gcc versions (I checked at least 4.1.1 from RHEL5 & 4.1.2 from gentoo)
    can generate incorrect code with read_crX()/write_crX() functions mix up,
    due to cached results of read_crX().
    
    The small app for x8664 below compiled with -O2 demonstrates this
    (i686 does the same thing):
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Kirill Korotaev committed with gregkh Oct 17, 2007
  12. @gregkh

    x86: fix off-by-one in find_next_zero_string

    patch 801916c in mainline.
    
    x86: fix off-by-one in find_next_zero_string
    
    Fix an off-by-one error in find_next_zero_string which prevents
    allocating the last bit.
    
    [ tglx: arch/x86 adaptation ]
    
    Signed-off-by: Andrew Hastings <abh@cray.com>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrew Hastings committed with gregkh Oct 17, 2007
  13. @gregkh

    i386: avoid temporarily inconsistent pte-s

    patch aa506dc in mainline.
    
    i386: avoid temporarily inconsistent pte-s
    
    One more of these issues (which were considered fixed a few releases
    back): other than on x86-64, i386 allows set_fixmap() to replace
    already present mappings. Consequently, on PAE, care must be taken to
    not update the high half of a pte while the low half is still holding
    the old value.
    
     [tglx: arch/x86 adaptation]
    
    Signed-off-by: Jan Beulich <jbeulich@novell.com>
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jan Beulich committed with gregkh Oct 17, 2007
  14. @herbertx @gregkh

    libcrc32c: keep intermediate crc state in cpu order

    It's upstream changeset ef19454.
    
    [LIB] crc32c: Keep intermediate crc state in cpu order
    
    crypto/crc32.c:chksum_final() is computing the digest as
    *(__le32 *)out = ~cpu_to_le32(mctx->crc);
    so the low-level crc32c_le routines should just keep
    the crc in cpu order, otherwise it is getting swabbed
    one too many times on big-endian machines.
    
    Signed-off-by: Benny Halevy <bhalevy@fs1.bhalevy.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Nov 15, 2007
  15. @gregkh

    geode: Fix not inplace encryption

    patch 2e21630 in mainline.
    
    Currently the Geode AES module fails to encrypt or decrypt if
    the coherent bits are not set what is currently the case if the
    encryption does not occur inplace. However, the encryption works
    on my Geode machine _only_ if the coherent bits are always set.
    
    Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
    Acked-by: Jordan Crouse <jordan.crouse@amd.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sebastian Siewior committed with gregkh Nov 10, 2007
  16. @gregkh

    Fix divide-by-zero in the 2.6.23 scheduler code

    No patch in mainline as this logic has been removed from 2.6.24 so it is
    not necessary.
    
    
    https://bugzilla.redhat.com/show_bug.cgi?id=340161
    
    The problem code has been removed in 2.6.24. The below patch disables
    SCHED_FEAT_PRECISE_CPU_LOAD which causes the offending code to be skipped
    but does not prevent the user from enabling it.
    
    The divide-by-zero is here in kernel/sched.c:
    
    static void update_cpu_load(struct rq *this_rq)
    {
    	u64 fair_delta64, exec_delta64, idle_delta64, sample_interval64, tmp64;
    	unsigned long total_load = this_rq->ls.load.weight;
    	unsigned long this_load =  total_load;
    	struct load_stat *ls = &this_rq->ls;
    	int i, scale;
    
    	this_rq->nr_load_updates++;
    	if (unlikely(!(sysctl_sched_features & SCHED_FEAT_PRECISE_CPU_LOAD)))
    		goto do_avg;
    
    	/* Update delta_fair/delta_exec fields first */
    	update_curr_load(this_rq);
    
    	fair_delta64 = ls->delta_fair + 1;
    	ls->delta_fair = 0;
    
    	exec_delta64 = ls->delta_exec + 1;
    	ls->delta_exec = 0;
    
    	sample_interval64 = this_rq->clock - ls->load_update_last;
    	ls->load_update_last = this_rq->clock;
    
    	if ((s64)sample_interval64 < (s64)TICK_NSEC)
    		sample_interval64 = TICK_NSEC;
    
    	if (exec_delta64 > sample_interval64)
    		exec_delta64 = sample_interval64;
    
    	idle_delta64 = sample_interval64 - exec_delta64;
    
    ======>	tmp64 = div64_64(SCHED_LOAD_SCALE * exec_delta64, fair_delta64);
    	tmp64 = div64_64(tmp64 * exec_delta64, sample_interval64);
    
    	this_load = (unsigned long)tmp64;
    
    do_avg:
    
    	/* Update our load: */
    	for (i = 0, scale = 1; i < CPU_LOAD_IDX_MAX; i++, scale += scale) {
    		unsigned long old_load, new_load;
    
    		/* scale is effectively 1 << i now, and >> i divides by scale */
    
    		old_load = this_rq->cpu_load[i];
    		new_load = this_load;
    
    		this_rq->cpu_load[i] = (old_load*(scale-1) + new_load) >> i;
    	}
    }
    
    For stable only; the code has been removed in 2.6.24.
    
    Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
    Acked-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Chuck Ebbert committed with gregkh Nov 14, 2007
  17. @gregkh

    ACPI: VIDEO: Adjust current level to closest available one.

    patch 63f0edf in mainline.
    
    ACPI: VIDEO: Adjust current level to closest available one.
    
    
    Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Alexey Starikovskiy committed with gregkh Nov 15, 2007
  18. @gregkh

    libata: sata_sis: use correct S/G table size

    patch 96af154 in mainline.
    
    [libata] sata_sis: use correct S/G table size
    
    sata_sis has the same restrictions as other SFF controllers, and so must
    use LIBATA_MAX_PRD to denote that SCSI may only fill ATA_MAX_PRD/2
    entries, due to our need to handle IOMMU merging.
    
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jeff Garzik committed with gregkh Nov 15, 2007
  19. @htejun @gregkh

    sata_sis: fix SCR read breakage

    patch aaa092a in mainline.
    
    sata_sis: fix SCR read breakage
    
    SCR read for controllers which uses PCI configuration space for SCR
    access got broken while adding @val argument to SCR accessors.  Fix
    it.
    
    Signed-off-by: Tejun Heo <htejun@gmail.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Cc: Tobias Powalowski <t.powa@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Nov 15, 2007
  20. @gregkh

    reiserfs: don't drop PG_dirty when releasing sub-page-sized dirty file

    patch c06a018 in mainline.
    
    This is not a new problem in 2.6.23-git17.  2.6.22/2.6.23 is buggy in the
    same way.
    
    Reiserfs could accumulate dirty sub-page-size files until umount time. 
    They cannot be synced to disk by pdflush routines or explicit `sync'
    commands.  Only `umount' can do the trick.
    
    The direct cause is: the dirty page's PG_dirty is wrongly _cleared_.
    Call trace:
    	 [<ffffffff8027e920>] cancel_dirty_page+0xd0/0xf0
    	 [<ffffffff8816d470>] :reiserfs:reiserfs_cut_from_item+0x660/0x710
    	 [<ffffffff8816d791>] :reiserfs:reiserfs_do_truncate+0x271/0x530
    	 [<ffffffff8815872d>] :reiserfs:reiserfs_truncate_file+0xfd/0x3b0
    	 [<ffffffff8815d3d0>] :reiserfs:reiserfs_file_release+0x1e0/0x340
    	 [<ffffffff802a187c>] __fput+0xcc/0x1b0
    	 [<ffffffff802a1ba6>] fput+0x16/0x20
    	 [<ffffffff8029e676>] filp_close+0x56/0x90
    	 [<ffffffff8029fe0d>] sys_close+0xad/0x110
    	 [<ffffffff8020c41e>] system_call+0x7e/0x83
    
    Fix the bug by removing the cancel_dirty_page() call. Tests show that
    it causes no bad behaviors on various write sizes.
    
    === for the patient ===
    Here are more detailed demonstrations of the problem.
    
    1) the page has both PG_dirty(D)/PAGECACHE_TAG_DIRTY(d) after being written to;
       and then only PAGECACHE_TAG_DIRTY(d) remains after the file is closed.
    
    ------------------------------ screen 0 ------------------------------
    [T0] root /home/wfg# cat > /test/tiny
    [T1] hi
    [T2] root /home/wfg#
    
    ------------------------------ screen 1 ------------------------------
    [T1] root /home/wfg# echo /test/tiny > /proc/filecache
    [T1] root /home/wfg# cat /proc/filecache
         # file /test/tiny
         # flags R:referenced A:active M:mmap U:uptodate D:dirty W:writeback O:owner B:buffer d:dirty w:writeback
         # idx   len     state   refcnt
         0       1       ___UD__Bd_      2
    [T2] root /home/wfg# cat /proc/filecache
         # file /test/tiny
         # flags R:referenced A:active M:mmap U:uptodate D:dirty W:writeback O:owner B:buffer d:dirty w:writeback
         # idx   len     state   refcnt
         0       1       ___U___Bd_      2
    
    2) note the non-zero 'cancelled_write_bytes' after /tmp/hi is copied.
    
    ------------------------------ screen 0 ------------------------------
    [T0] root /home/wfg# echo hi > /tmp/hi
    [T1] root /home/wfg# cp /tmp/hi /dev/stdin /test
    [T2] hi
    [T3] root /home/wfg#
    
    ------------------------------ screen 1 ------------------------------
    [T1] root /proc/4397# cd /proc/`pidof cp`
    [T1] root /proc/4713# cat io
         rchar: 8396
         wchar: 3
         syscr: 20
         syscw: 1
         read_bytes: 0
         write_bytes: 20480
         cancelled_write_bytes: 4096
    [T2] root /proc/4713# cat io
         rchar: 8399
         wchar: 6
         syscr: 21
         syscw: 2
         read_bytes: 0
         write_bytes: 24576
         cancelled_write_bytes: 4096
    
    //Question: the 'write_bytes' is a bit more than expected ;-)
    
    Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Fengguang Wu <wfg@mail.ustc.edu.cn>
    Reviewed-by: Chris Mason <chris.mason@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Fengguang Wu committed with gregkh Nov 15, 2007
  21. @gregkh

    x86: disable preemption in delay_tsc()

    patch 35d5d08 in mainline.
    
    Marin Mitov points out that delay_tsc() can misbehave if it is preempted and
    rescheduled on a different CPU which has a skewed TSC.  Fix it by disabling
    preemption.
    
    (I assume that the worst-case behaviour here is a stall of 2^32 cycles)
    
    Cc: Andi Kleen <ak@suse.de>
    Cc: Marin Mitov <mitov@issp.bas.bg>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrew Morton committed with gregkh Nov 15, 2007
  22. @gregkh

    dmaengine: fix broken device refcounting

    patch 348badf in mainline.
    
    When a DMA device is unregistered, its reference count is decremented twice
    for each channel: Once dma_class_dev_release() and once in
    dma_chan_cleanup().  This may result in the DMA device driver's remove()
    function completing before all channels have been cleaned up, causing lots
    of use-after-free fun.
    
    Fix it by incrementing the device's reference count twice for each
    channel during registration.
    
    [dan.j.williams@intel.com: kill unnecessary client refcounting]
    Signed-off-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Shannon Nelson <shannon.nelson@intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Haavard Skinnemoen committed with gregkh Nov 15, 2007
  23. @gregkh

    nfsd4: recheck for secure ports in fh_verify

    patch 6fa0283 in mainline.
    
    As with
    
    	7fc90ec... "call nfsd_setuser() on fh_compose()..."
    
    this is a case where we need to redo a security check in fh_verify()
    even though the filehandle already has an associated dentry--if the
    filehandle was created by fh_compose() in an earlier operation of the
    nfsv4 compound, then we may not have done these checks yet.
    
    Without this fix it is possible, for example, to traverse from an export
    without the secure ports requirement to one with it in a single
    compound, and bypass the secure port check on the new export.
    
    While we're here, fix up some minor style problems and change a printk()
    to a dprintk(), to make it harder for random unprivileged users to spam
    the logs.
    
    Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
    Reviewed-By: NeilBrown <neilb@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Nov 12, 2007
  24. @gregkh

    knfsd: fix spurious EINVAL errors on first access of new filesystem

    patch ac8587d in mainline.
    
    The v2/v3 acl code in nfsd is translating any return from fh_verify() to
    nfserr_inval.  This is particularly unfortunate in the case of an
    nfserr_dropit return, which is an internal error meant to indicate to
    callers that this request has been deferred and should just be dropped
    pending the results of an upcall to mountd.
    
    Thanks to Roland <devzero@web.de> for bug report and data collection.
    
    Cc: Roland <devzero@web.de>
    Acked-by: Andreas Gruenbacher <agruen@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
    Reviewed-By: NeilBrown <neilb@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    J. Bruce Fields committed with gregkh Nov 12, 2007
  25. @djbw @gregkh

    raid5: fix unending write sequence

    patch 6c55be8 in mainline.
    
    <debug output from Joel's system>
    handling stripe 7629696, state=0x14 cnt=1, pd_idx=2 ops=0:0:0
    check 5: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800ffcffcc0 written 0000000000000000
    check 4: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800fdd4e360 written 0000000000000000
    check 3: state 0x1 toread 0000000000000000 read 0000000000000000 write 0000000000000000 written 0000000000000000
    check 2: state 0x1 toread 0000000000000000 read 0000000000000000 write 0000000000000000 written 0000000000000000
    check 1: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800ff517e40 written 0000000000000000
    check 0: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800fd4cae60 written 0000000000000000
    locked=4 uptodate=2 to_read=0 to_write=4 failed=0 failed_num=0
    for sector 7629696, rmw=0 rcw=0
    </debug>
    
    These blocks were prepared to be written out, but were never handled in
    ops_run_biodrain(), so they remain locked forever.  The operations flags
    are all clear which means handle_stripe() thinks nothing else needs to be
    done.
    
    This state suggests that the STRIPE_OP_PREXOR bit was sampled 'set' when it
    should not have been.  This patch cleans up cases where the code looks at
    sh->ops.pending when it should be looking at the consistent stack-based
    snapshot of the operations flags.
    
    Report from Joel:
    	Resync done. Patch fix this bug.
    
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Tested-by: Joel Bertrand <joel.bertrand@systella.fr>
    Cc: <stable@kernel.org>
    Cc: Neil Brown <neilb@suse.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    djbw committed with gregkh Nov 15, 2007
  26. @gregkh

    oProfile: oops when profile_pc() returns ~0LU

    patch df9d177 in mainline.
    
    Instruction pointer returned by profile_pc() can be a random value.  This
    break the assumption than we can safely set struct op_sample.eip field to a
    magic value to signal to the per-cpu buffer reader side special event like
    task switch ending up in a segfault in get_task_mm() when profile_pc()
    return ~0UL.  Fixed by sanitizing the sampled eip and reject/log invalid
    eip.
    
    Problem reported by Sami Farin, patch tested by him.
    
    Signed-off-by: Philippe Elie <phil.el@wanadoo.fr>
    Tested-by: Sami Farin <safari-kernel@safari.iki.fi>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Philippe Elie committed with gregkh Nov 15, 2007
  27. @gregkh

    drivers/video/ps3fb: fix memset size error

    patch 3cc2c17 in mainline.
    
    The size passing to memset is wrong.
    
    Signed-off-by Li Zefan <lizf@cn.fujitsu.com>
    Acked-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Li Zefan committed with gregkh Nov 15, 2007
  28. @gregkh

    i2c/eeprom: Hide Sony Vaio serial numbers

    patch 0f2cbd3 in mainline.
    
    The sysfs interface to DMI data takes care to not make the system
    serial number and UUID world-readable, presumably due to privacy
    concerns. For consistency, we should not let the eeprom driver
    export these same strings to the world on Sony Vaio laptops.
    Instead, only make them readable by root, as we already do for BIOS
    passwords.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with gregkh Nov 16, 2007
  29. @gregkh

    i2c/eeprom: Recognize VGN as a valid Sony Vaio name prefix

    patch 8b925a3 in mainline.
    
    Recent (i.e. 2005 and later) Sony Vaio laptops have names beginning
    with VGN rather than PCG. Update the eeprom driver so that it
    recognizes these.
    
    Why this matters: the eeprom driver hides private data from the
    EEPROMs it recognizes as Vaio EEPROMs (passwords, serial number...) so
    if the driver fails to recognize a Vaio EEPROM as such, the private
    data is exposed to the world.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with gregkh Nov 16, 2007
  30. @gregkh

    i2c-pasemi: Fix NACK detection

    patch be8a1f7 in mainline.
    
    Turns out we don't actually check the status to see if there was a
    device out there to talk to, just if we had a timeout when doing so.
    
    Add the proper check, so we don't falsly think there are devices
    on the bus that are not there, etc.
    
    Signed-off-by: Olof Johansson <olof@lixom.net>
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with gregkh Nov 16, 2007
Commits on Nov 16, 2007
  1. @gregkh

    Linux 2.6.23.8

    gregkh committed Nov 16, 2007
  2. @gregkh

    wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-20…

    …07-5500)
    
    patch a347422 in mainline
    
    The original meaning of the old test (p->state > TASK_STOPPED) was
    "not dead", since it was before TASK_TRACED existed and before the
    state/exit_state split.  It was a wrong correction in commit
    14bf01b to make this test for
    TASK_TRACED instead.  It should have been changed when TASK_TRACED
    was introducted and again when exit_state was introduced.
    
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Cc: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Alexey Dobriyan <adobriyan@sw.ru>
    Cc: Kees Cook <kees@ubuntu.com>
    Acked-by: Scott James Remnant <scott@ubuntu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Roland McGrath committed with gregkh Nov 14, 2007
  3. @gregkh

    TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-200…

    …7-5501)
    
    patch 96a2d41 in mainline.
    
    NULL ptr can be returned from tcp_write_queue_head to cached_skb
    and then assigned to skb if packets_out was zero. Without this,
    system is vulnerable to a carefully crafted ACKs which obviously
    is remotely triggerable.
    
    Besides, there's very little that needs to be done in sacktag
    if there weren't any packets outstanding, just skipping the rest
    doesn't hurt.
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Ilpo Järvinen committed with gregkh Nov 14, 2007
  4. @gregkh

    Linux 2.6.23.7

    gregkh committed Nov 16, 2007
  5. @gregkh

    NFS: Fix a writeback race...

    patch 61e930a in mainline
    
    This patch fixes a regression that was introduced by commit
    44dd151
    
    We cannot zero the user page in nfs_mark_uptodate() any more, since
    
      a) We'd be modifying the page without holding the page lock
      b) We can race with other updates of the page, most notably
         because of the call to nfs_wb_page() in nfs_writepage_setup().
    
    Instead, we do the zeroing in nfs_update_request() if we see that we're
    creating a request that might potentially be marked as up to date.
    
    Thanks to Olivier Paquet for reporting the bug and providing a test-case.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Trond Myklebust committed with gregkh Oct 19, 2007