Permalink
Commits on Feb 26, 2008
  1. Linux 2.6.24.3

    gregkh committed Feb 26, 2008
  2. x86_64: CPA, fix cache attribute inconsistency bug

    (no matching git id as the upstream code is rewritten)
    
    fix CPA cache attribute bug in v2.6.24. When phys_base is nonzero (when 
    CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates the 
    secondary alias address by -14 MB (depending on the configured offset).
    
    The default 64-bit kernels of Fedora and Ubuntu are affected:
    
       $ grep RELOCA /boot/config-2.6.23.9-85.fc8
         CONFIG_RELOCATABLE=y
    
       $ grep RELOC /boot/config-2.6.22-14-generic
         CONFIG_RELOCATABLE=y
    
    and probably on many other distros as well.
    
    the bug affects all pages in the first 40 MB of physical RAM that
    are allocated by some subsystem that does ioremap_nocache() on them:
    
           if (__pa(address) < KERNEL_TEXT_SIZE) {
    
    Hence we might leave page table entries with inconsistent cache
    attributes around (pages mapped at both UnCacheable and Write-Back),
    and we can also set the wrong kernel text pages to UnCacheable.
    
    the effects of this bug can be random slowdowns and other misbehavior.
    If for example AGP allocates its aperture pages into the first 40 MB
    of physical RAM, then the -14 MB bug might mark random kernel texto
    pages as uncacheable, slowing down a random portion of the 64-bit
    kernel until the AGP driver is unloaded.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ingo Molnar committed with gregkh Feb 15, 2008
  3. bonding: fix NULL pointer deref in startup processing

    patch 4fe4763 in mainline.
    
    	Fix the "are we creating a duplicate" check to not compare
    the name if the name is NULL (meaning that the system should select
    a name).  Bug reported by Benny Amorsen <benny+usenet@amorsen.dk>.
    
    Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jay Vosburgh committed with gregkh Feb 15, 2008
  4. POWERPC: Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pe…

    …gasos
    
    Commit: 092ca5b
    
    [POWERPC] Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos
    
    Commit 6d98bda changed the init order
    for chrp_pci_fixup_vt8231_ata().
    
    It can not work anymore because either the irq is not yet set to 14 or
    pci_get_device() returns nothing.  At least the printk() in
    chrp_pci_fixup_vt8231_ata() does not trigger anymore.
    pata_via works again on Pegasos with the change below.
    
    Signed-off-by: Olaf Hering <olaf@aepfle.de>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    olafhering committed with gregkh Feb 22, 2008
  5. PCMCIA: Fix station address detection in smc

    Commit: a1a98b7
    
    Fix station address detection in smc
    
    Megahertz EM1144 PCMCIA ethernet adapter needs special handling
    because it has two VERS_1 tuples and the station address is in
    the second one. Conversion to generic handling of these fields
    broke it. Reverting that fixes the device.
    
      https://bugzilla.redhat.com/show_bug.cgi?id=233255
    
    Thanks go to Jon Stanley for not giving up on this one until the
    problem was found.
    
    Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Chuck Ebbert committed with gregkh Feb 22, 2008
  6. SCSI: gdth: scan for scsi devices

    commit: 61c9281
    
    The patch: "gdth: switch to modern scsi host registration"
    
    missed one simple fact when moving a way from scsi_module.c.
    That is to call scsi_scan_host() on the probed host.
    With this the gdth driver from 2.6.24 is again able to
    see drives and boot.
    
    Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
    Tested-by: Joerg Dorchain <joerg@dorchain.net>
    Tested-by: Stefan Priebe <s.priebe@allied-internet.ag>
    Tested-by: Jon Chelton <jchelton@ffpglobal.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    bharrosh committed with gregkh Feb 14, 2008
  7. USB: fix pm counter leak in usblp

    commit 1902869 upstream
    
    if you fail in open() you must decrement the pm counter again.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Oliver Neukum committed with gregkh Feb 22, 2008
  8. S390: Fix futex_atomic_cmpxchg_std inline assembly.

    commit: d5b02b3 upstream
    
    Add missing exception table entry so that the kernel can handle
    proctection exceptions as well on the cs instruction. Currently only
    specification exceptions are handled correctly.
    The missing entry allows user space to crash the kernel.
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Heiko Carstens committed with gregkh Feb 19, 2008
  9. genirq: do not leave interupts enabled on free_irq

    commit 89d694b
    
    The default_disable() function was changed in commit:
    
     76d2160
     genirq: do not mask interrupts by default
    
    It removed the mask function in favour of the default delayed
    interrupt disabling. Unfortunately this also broke the shutdown in
    free_irq() when the last handler is removed from the interrupt for
    those architectures which rely on the default implementations. Now we
    can end up with a enabled interrupt line after the last handler was
    removed, which can result in spurious interrupts.
    
    Fix this by adding a default_shutdown function, which is only
    installed, when the irqchip implementation does provide neither a
    shutdown nor a disable function.
    
    
    Pointed-out-by: Michael Hennerich <Michael.Hennerich@analog.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Ingo Molnar <mingo@elte.hu>
    Tested-by: Michael Hennerich <Michael.Hennerich@analog.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Feb 19, 2008
  10. hrtimer: catch expired CLOCK_REALTIME timers early

    commit 63070a7
    
    A CLOCK_REALTIME timer, which has an absolute expiry time less than
    the clock realtime offset calls with a negative delta into the clock
    events code and triggers the WARN_ON() there.
    
    This is a false positive and needs to be prevented. Check the result
    of timer->expires - timer->base->offset right away and return -ETIME
    right away.
    
    Thanks to Frans Pop, who reported the problem and tested the fixes.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: Frans Pop <elendil@planet.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Feb 20, 2008
  11. hrtimer: check relative timeouts for overflow

    commit: 5a7780e
    
    Various user space callers ask for relative timeouts. While we fixed
    that overflow issue in hrtimer_start(), the sites which convert
    relative user space values to absolute timeouts themself were uncovered.
    
    Instead of putting overflow checks into each place add a function
    which does the sanity checking and convert all affected callers to use
    it.
    
    Thanks to Frans Pop, who reported the problem and tested the fixes.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Ingo Molnar <mingo@elte.hu>
    Tested-by: Frans Pop <elendil@planet.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Feb 20, 2008
  12. SLUB: Deal with annoying gcc warning on kfree()

    patch 5bb983b in mainline.
    
    gcc 4.2 spits out an annoying warning if one casts a const void *
    pointer to a void * pointer. No warning is generated if the
    conversion is done through an assignment.
    
    Signed-off-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Christoph Lameter committed with gregkh Feb 8, 2008
  13. hrtimer: fix *rmtp/restarts handling in compat_sys_nanosleep()

    commit 4165293
    
    Spotted by Pavel Emelyanov and Alexey Dobriyan.
    
    compat_sys_nanosleep() implicitly uses hrtimer_nanosleep_restart(), this can't
    work. Make a suitable compat_nanosleep_restart() helper.
    
    Introduced by commit c70878b
    hrtimer: hook compat_sys_nanosleep up to high res timer code
    
    Also, set ->addr_limit = KERNEL_DS before doing hrtimer_nanosleep(), this func
    was changed by the previous patch and now takes the "__user *" parameter.
    
    Thanks to Ingo Molnar for fixing the bug in this patch.
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alexey Dobriyan <adobriyan@sw.ru>
    Cc: Pavel Emelyanov <xemul@sw.ru>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Toyo Abe <toyoa@mvista.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Oleg Nesterov committed with gregkh Feb 19, 2008
  14. hrtimer: fix *rmtp handling in hrtimer_nanosleep()

    commit 080344b
    
    Spotted by Pavel Emelyanov and Alexey Dobriyan.
    
    hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
    the local variable which lives in the caller's stack frame. This means that
    if sys_restart_syscall() actually happens and it is interrupted as well, we
    don't update the user-space variable, but write into the already dead stack
    frame.
    
    Introduced by commit 04c2271
    hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
    
    Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
    hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
    
    Small problem remains. man 2 nanosleep states that *rtmp should be written if
    nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
    if nanosleep returns 0), but (with or without this patch) we can dirty *rem
    even if nanosleep() returns 0.
    
    NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
    bugs. Fixed by the next patch.
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Alexey Dobriyan <adobriyan@sw.ru>
    Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
    Cc: Pavel Emelyanov <xemul@sw.ru>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Toyo Abe <toyoa@mvista.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Oleg Nesterov committed with gregkh Feb 19, 2008
  15. Disable G5 NAP mode during SMU commands on U3

    patch 592a607 in mainline.
    
    It appears that with the U3 northbridge, if the processor is in NAP
    mode the whole time while waiting for an SMU command to complete,
    then the SMU will fail.  It could be related to the weird backward
    mechanism the SMU uses to get to system memory via i2c to the
    northbridge that doesn't operate properly when the said bridge is
    in napping along with the CPU.  That is on U3 at least, U4 doesn't
    seem to be affected.
    
    This didn't show before NO_HZ as the timer wakeup was enough to make
    it work it seems, but that is no longer the case.
    
    This fixes it by disabling NAP mode on those machines while
    an SMU command is in flight.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ozbenh committed with gregkh Feb 7, 2008
  16. Be more robust about bad arguments in get_user_pages()

    patch 900cf08 in mainline.
    
    So I spent a while pounding my head against my monitor trying to figure
    out the vmsplice() vulnerability - how could a failure to check for
    *read* access turn into a root exploit? It turns out that it's a buffer
    overflow problem which is made easy by the way get_user_pages() is
    coded.
    
    In particular, "len" is a signed int, and it is only checked at the
    *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
    will execute once and decrement len to -1.  At that point, the loop will
    proceed until the next invalid address is found; in the process, it will
    likely overflow the pages array passed in to get_user_pages().
    
    I think that, if get_user_pages() has been asked to grab zero pages,
    that's what it should do.  Thus this patch; it is, among other things,
    enough to block the (already fixed) root exploit and any others which
    might be lurking in similar code.  I also think that the number of pages
    should be unsigned, but changing the prototype of this function probably
    requires some more careful review.
    
    Signed-off-by: Jonathan Corbet <corbet@lwn.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jonathan Corbet committed with gregkh Feb 11, 2008
  17. AUDIT: Increase skb->truesize in audit_expand

    Upstream commit: 406a1d8
    
    The recent UDP patch exposed this bug in the audit code.  It
    was calling pskb_expand_head without increasing skb->truesize.
    The caller of pskb_expand_head needs to do so because that function
    is designed to be called in places where truesize is already fixed
    and therefore it doesn't update its value.
    
    Because the audit system is using it in a place where the truesize
    has not yet been fixed, it needs to update its value manually.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: James Morris <jmorris@namei.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Feb 15, 2008
  18. BLUETOOTH: Add conn add/del workqueues to avoid connection fail.

    Upstream commit: b6c0632
    
    The bluetooth hci_conn sysfs add/del executed in the default
    workqueue.  If the del_conn is executed after the new add_conn with
    same target, add_conn will failed with warning of "same kobject name".
    
    Here add btaddconn & btdelconn workqueues, flush the btdelconn
    workqueue in the add_conn function to avoid the issue.
    
    Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    hidave committed with gregkh Feb 15, 2008
  19. INET: Prevent out-of-sync truesize on ip_fragment slow path

    Upstream commit: 29ffe1a
    
    When ip_fragment has to hit the slow path the value of skb->truesize
    may go out of sync because we would have updated it without changing
    the packet length.  This violates the constraints on truesize.
    
    This patch postpones the update of skb->truesize to prevent this.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Feb 15, 2008
  20. INET_DIAG: Fix inet_diag_lock_handler error path.

    Upstream commit: 8cf8e5a
    
    Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825
    
    The inet_diag_lock_handler function uses ERR_PTR to encode errors but
    its callers were testing against NULL.
    
    This only happens when the only inet_diag modular user, DCCP, is not
    built into the kernel or available as a module.
    
    Also there was a problem with not dropping the mutex lock when a handler
    was not found, also fixed in this patch.
    
    This caused an OOPS and ss would then hang on subsequent calls, as
    &inet_diag_table_mutex was being left locked.
    
    Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d'
    on a kernel that doesn't have DCCP available.
    
    This bug was introduced in cset
    d523a32 ("Fix inet_diag dead-lock
    regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected.
    
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Arnaldo Carvalho de Melo committed with gregkh Feb 15, 2008
  21. IPCOMP: Fetch nexthdr before ipch is destroyed

    Upstream commit: 2614fa5
    
    When I moved the nexthdr setting out of IPComp I accidently moved
    the reading of ipch->nexthdr after the decompression.  Unfortunately
    this means that we'd be reading from a stale ipch pointer which
    doesn't work very well.
    
    This patch moves the reading up so that we get the correct nexthdr
    value.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Feb 15, 2008
  22. IPCOMP: Fix reception of incompressible packets

    Upstream commit: b164106
    
    I made a silly typo by entering IPPROTO_IP (== 0) instead of
    IPPROTO_IPIP (== 4).  This broke the reception of incompressible
    packets.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Feb 15, 2008
  23. IPV4: fib: fix route replacement, fib_info is shared

    Upstream commit: c18865f
    
    fib_info can be shared by many route prefixes but we don't want
    duplicate alternative routes for a prefix+tos+priority. Last change
    was not correct to check fib_treeref because it accounts usage from
    other prefixes. Additionally, avoid replacement without error if new
    route is same, as Joonwoo Park suggests.
    
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Julian Anastasov committed with gregkh Feb 15, 2008
  24. IPV4: fib_trie: apply fixes from fib_hash

    Upstream commit: 936f6f8
    
    	Update fib_trie with some fib_hash fixes:
    - check for duplicate alternative routes for prefix+tos+priority when
    replacing route
    - properly insert by matching tos together with priority
    - fix alias walking to use list_for_each_entry_continue for insertion
    and deletion when fa_head is not NULL
    - copy state from fa to new_fa on replace (not a problem for now)
    - additionally, avoid replacement without error if new route is same,
    as Joonwoo Park suggests.
    
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Julian Anastasov committed with gregkh Feb 15, 2008
  25. NET: Add if_addrlabel.h to sanitized headers.

    Upstream commit: dded916
    
    if_addrlabel.h is needed for iproute2 usage.
    
    Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stephen Hemminger committed with gregkh Feb 15, 2008
  26. PKT_SCHED: ematch: oops from uninitialized variable (resend)

    Upstream commit: 268bcca
    
    Setting up a meta match causes a kernel OOPS because of uninitialized
    elements in tree.
    
    [   37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
    [   37.322381] IP: [<ffffffff883fc717>] :em_meta:em_meta_destroy+0x17/0x80
    
    [   37.322381] Call Trace:
    [   37.322381]  [<ffffffff803ec83d>] tcf_em_tree_destroy+0x2d/0xa0
    [   37.322381]  [<ffffffff803ecc8c>] tcf_em_tree_validate+0x2dc/0x4a0
    [   37.322381]  [<ffffffff803f06d2>] nla_parse+0x92/0xe0
    [   37.322381]  [<ffffffff883f9672>] :cls_basic:basic_change+0x202/0x3c0
    [   37.322381]  [<ffffffff802a3917>] kmem_cache_alloc+0x67/0xa0
    [   37.322381]  [<ffffffff803ea221>] tc_ctl_tfilter+0x3b1/0x580
    [   37.322381]  [<ffffffff803dffd0>] rtnetlink_rcv_msg+0x0/0x260
    [   37.322381]  [<ffffffff803ee944>] netlink_rcv_skb+0x74/0xa0
    [   37.322381]  [<ffffffff803dffc8>] rtnetlink_rcv+0x18/0x20
    [   37.322381]  [<ffffffff803ee6c3>] netlink_unicast+0x263/0x290
    [   37.322381]  [<ffffffff803cf276>] __alloc_skb+0x96/0x160
    [   37.322381]  [<ffffffff803ef014>] netlink_sendmsg+0x274/0x340
    [   37.322381]  [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
    [   37.322381]  [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
    [   37.322381]  [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
    [   37.322381]  [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
    [   37.322381]  [<ffffffff80288611>] zone_statistics+0xb1/0xc0
    [   37.322381]  [<ffffffff803c7e5e>] sys_sendmsg+0x20e/0x360
    [   37.322381]  [<ffffffff803c7411>] sockfd_lookup_light+0x41/0x80
    [   37.322381]  [<ffffffff8028d04b>] handle_mm_fault+0x3eb/0x7f0
    [   37.322381]  [<ffffffff8020c2fb>] system_call_after_swapgs+0x7b/0x80
    
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stephen Hemminger committed with gregkh Feb 15, 2008
  27. SELinux: Fix double free in selinux_netlbl_sock_setsid()

    Upstream commit: e1770d9
    
    As pointed out by Adrian Bunk, commit
    45c950e ("fix memory leak in netlabel
    code") caused a double-free when security_netlbl_sid_to_secattr()
    fails.  This patch fixes this by removing the netlbl_secattr_destroy()
    call from that function since we are already releasing the secattr
    memory in selinux_netlbl_sock_setsid().
    
    Signed-off-by: Paul Moore <paul.moore@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pcmoore committed with gregkh Feb 15, 2008
  28. TC: oops in em_meta

    Upstream commit: 04f217a
    
    If userspace passes a unknown match index into em_meta, then
    em_meta_change will return an error and the data for the match will
    not be set. This then causes an null pointer dereference when the
    cleanup is done in the error path via tcf_em_tree_destroy. Since the
    tree structure comes kzalloc, it is initialized to NULL.
    
    Discovered when testing a new version of tc command against an
    accidental older kernel.
    
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stephen Hemminger committed with gregkh Feb 15, 2008
  29. TCP: Fix a bug in strategy_allowed_congestion_control

    Upstream commit: 16ca3f9
    
    In strategy_allowed_congestion_control of the 2.6.24 kernel, when
    sysctl_string return 1 on success,it should call
    tcp_set_allowed_congestion_control to set the allowed congestion
    control.But, it don't.  the sysctl_string return 1 on success,
    otherwise return negative, never return 0.The patch fix the problem.
    
    Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
    Acked-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Shan Wei committed with gregkh Feb 15, 2008
  30. SCSI: sd: handle bad lba in sense information

    patch 366c246 in mainline.
    
    Some devices report medium error locations incorrectly.  Add guards to
    make sure the reported bad lba is actually in the request that caused
    it.  Additionally remove the large case statment for sector sizes and
    replace it with the proper u64 divisions.
    
    Tested-by: Mike Snitzer <snitzer@gmail.com>
    Cc: Stable Tree <stable@kernel.org>
    Cc: Tony Battersby <tonyb@cybernetics.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    James Bottomley committed with gregkh Feb 2, 2008
  31. Fix dl2k constants

    patch 9c52fab in mainline.
    
    The MSSR constants didn't match the reality - bitfield declarations
    used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum
    had them the other way round.  Went unnoticed until the switch from
    the bitfields use to the explicit arithmetics and I hadn't caught that one
    when verifying correctness of change...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Al Viro committed with gregkh Feb 1, 2008
  32. XFS: Fix oops in xfs_file_readdir()

    patch 450790a in mainline.
    
    Several occurrences of oops in xfs_file_readdir() on ia32 have been
    reported since 2.6.24 was released. This is a regression introduced
    in 2.6.24 and is relatively easy to hit. The patch below fixes the
    problem.
    
    
    Signed-off-by: Dave Chinner <dgc@sgi.com>
    Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    David Chinner committed with gregkh Feb 5, 2008
  33. hugetlb: add locking for overcommit sysctl

    patch a3d0c6a in mainline.
    
    When I replaced hugetlb_dynamic_pool with nr_overcommit_hugepages I used
    proc_doulongvec_minmax() directly.  However, hugetlb.c's locking rules
    require that all counter modifications occur under the hugetlb_lock.  Add a
    callback into the hugetlb code similar to the one for nr_hugepages.  Grab
    the lock around the manipulation of nr_overcommit_hugepages in
    proc_doulongvec_minmax().
    
    Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com>
    Acked-by: Adam Litke <agl@us.ibm.com>
    Cc: David Gibson <david@gibson.dropbear.id.au>
    Cc: William Lee Irwin III <wli@holomorphy.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Nishanth Aravamudan committed with gregkh Feb 8, 2008
  34. inotify: fix check for one-shot watches before destroying them

    patch ac74c00 in mainline.
    
    As the IN_ONESHOT bit is never set when an event is sent we must check it
    in the watch's mask and not in the event's mask.
    
    Signed-off-by: Ulisses Furquim <ulissesf@gmail.com>
    Reported-by: "Clem Taylor" <clem.taylor@gmail.com>
    Tested-by: "Clem Taylor" <clem.taylor@gmail.com>
    Cc: Amy Griffis <amy.griffis@hp.com>
    Cc: Robert Love <rlove@google.com>
    Cc: John McCutchan <ttb@tentacle.dhs.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ulissesf committed with gregkh Feb 8, 2008
  35. NFS: Fix a potential file corruption issue when writing

    patch 5d47a35 in mainline.
    
    If the inode is flagged as having an invalid mapping, then we can't rely on
    the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
    write optimisation in nfs_updatepage(), since that will cause NFS to write
    out areas of the page that are no longer guaranteed to be up to date.
    
    A potential corruption could occur in the following scenario:
    
    client 1			client 2
    ===============			===============
    				fd=open("f",O_CREAT|O_WRONLY,0644);
    				write(fd,"fubar\n",6);	// cache last page
    				close(fd);
    fd=open("f",O_WRONLY|O_APPEND);
    write(fd,"foo\n",4);
    close(fd);
    
    				fd=open("f",O_WRONLY|O_APPEND);
    				write(fd,"bar\n",4);
    				close(fd);
    -----
    The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
    client 2 does not update the cached page after re-opening the file for
    write. Instead it keeps it marked as PageUptodate() until someone calls
    invalidate_inode_pages2() (typically by calling read()).
    
    The bug was introduced by commit 44b1187
    "NFS: Separate metadata and page cache revalidation mechanisms"
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Trond Myklebust committed with gregkh Feb 8, 2008