Skip to content
Commits on Sep 9, 2008
  1. Linux 2.6.27-rc6

  2. Merge git://

    * git://
      ipv6: Fix OOPS in ip6_dst_lookup_tail().
      ipsec: Restore larval states and socket policies in dump
      [Bluetooth] Reject L2CAP connections on an insecure ACL link
      [Bluetooth] Enforce correct authentication requirements
      [Bluetooth] Fix reference counting during ACL config stage
  3. Merge git://

    * git://
      sparc64: Disable timer interrupts in fixup_irqs().
  4. @davem330

    ipv6: Fix OOPS in ip6_dst_lookup_tail().

    Neil Horman committed with davem330
    This fixes kernel bugzilla 11469: "TUN with 1024 neighbours:
    ip6_dst_lookup_tail NULL crash"
    dst->neighbour is not necessarily hooked up at this point
    in the processing path, so blindly dereferencing it is
    the wrong thing to do.  This NULL check exists in other
    similar paths and this case was just an oversight.
    Also fix the completely wrong and confusing indentation
    here while we're at it.
    Based upon a patch by Evgeniy Polyakov.
    Signed-off-by: Neil Horman <>
    Signed-off-by: David S. Miller <>
  5. Merge branch 'timers-fixes-for-linus' of git://…

    * 'timers-fixes-for-linus' of git://
      clockevents: remove WARN_ON which was used to gather information
  6. clockevents: remove WARN_ON which was used to gather information

    Thomas Gleixner committed
    The issue of the endless reprogramming loop due to a too small
    min_delta_ns was fixed with the previous updates of the clock events
    code, but we had no information about the spread of this problem. I
    added a WARN_ON to get automated information via and to
    get some direct reports, which allowed me to analyse the affected
    The WARN_ON has served its purpose and would be annoying for a release
    kernel. Remove it and just keep the information about the increase of
    the min_delta_ns value.
    Signed-off-by: Thomas Gleixner <>
  7. Merge branch 'x86-fixes-for-linus' of git://…

    * 'x86-fixes-for-linus' of git://
      x86: fix memmap=exactmap boot argument
      x86: disable static NOPLs on 32 bits
      xen: fix 2.6.27-rc5 xen balloon driver warnings
  8. @prarit

    x86: fix memmap=exactmap boot argument

    prarit committed with H. Peter Anvin
    When using kdump modifying the e820 map is yielding strange results.
    For example starting with
     BIOS-provided physical RAM map:
     BIOS-e820: 0000000000000100 - 0000000000093400 (usable)
     BIOS-e820: 0000000000093400 - 00000000000a0000 (reserved)
     BIOS-e820: 0000000000100000 - 000000003fee0000 (usable)
     BIOS-e820: 000000003fee0000 - 000000003fef3000 (ACPI data)
     BIOS-e820: 000000003fef3000 - 000000003ff80000 (ACPI NVS)
     BIOS-e820: 000000003ff80000 - 0000000040000000 (reserved)
     BIOS-e820: 00000000e0000000 - 00000000f0000000 (reserved)
     BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
     BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
     BIOS-e820: 00000000ff000000 - 0000000100000000 (reserved)
    and booting with args
    memmap=exactmap memmap=640K@0K memmap=5228K@16384K memmap=125188K@22252K memmap=76K#1047424K memmap=564K#1047500K
    resulted in:
     user-defined physical RAM map:
     user: 0000000000000000 - 0000000000093400 (usable)
     user: 0000000000093400 - 00000000000a0000 (reserved)
     user: 0000000000100000 - 000000003fee0000 (usable)
     user: 000000003fee0000 - 000000003fef3000 (ACPI data)
     user: 000000003fef3000 - 000000003ff80000 (ACPI NVS)
     user: 000000003ff80000 - 0000000040000000 (reserved)
     user: 00000000e0000000 - 00000000f0000000 (reserved)
     user: 00000000fec00000 - 00000000fec10000 (reserved)
     user: 00000000fee00000 - 00000000fee01000 (reserved)
     user: 00000000ff000000 - 0000000100000000 (reserved)
    But should have resulted in:
     user-defined physical RAM map:
     user: 0000000000000000 - 00000000000a0000 (usable)
     user: 0000000001000000 - 000000000151b000 (usable)
     user: 00000000015bb000 - 0000000008ffc000 (usable)
     user: 000000003fee0000 - 000000003ff80000 (ACPI data)
    This is happening because of an improper usage of strcmp() in the
    e820 parsing code.  The strcmp() always returns !0 and never resets the
    value for e820.nr_map and returns an incorrect user-defined map.
    This patch fixes the problem.
    Signed-off-by: Prarit Bhargava <>
    Signed-off-by: Ingo Molnar <>
  9. Merge branch 'for-linus' of git://…

    * 'for-linus' of git://
      [S390] cio: allow offline processing for disconnected devices
      [S390] cio: handle ssch() return codes correctly.
      [S390] cio: Correct cleanup on error.
      [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
  10. Merge branch 'upstream' of git://…

    * 'upstream' of git://
      [MIPS] IP22: Fix detection of second HPC3 on Challenge S
  11. Merge branch 'linux-next' of git://

    * 'linux-next' of git://
      UBIFS: make minimum fanout 3
      UBIFS: fix division by zero
      UBIFS: amend f_fsid
      UBIFS: fill f_fsid
      UBIFS: improve statfs reporting even more
      UBIFS: introduce LEB overhead
      UBIFS: add forgotten gc_idx_lebs component
      UBIFS: fix assertion
      UBIFS: improve statfs reporting
      UBIFS: remove incorrect index space check
      UBIFS: push empty flash hack down
      UBIFS: do not update min_idx_lebs in stafs
      UBIFS: allow for racing between GC and TNC
      UBIFS: always read hashed-key nodes under TNC mutex
      UBIFS: fix zero-length truncations
  12. lib: Correct printk %pF to work on all architectures

    James Bottomley committed with
    It was introduced by "vsprintf: add support for '%pS' and '%pF' pointer
    formats" in commit 0fe1ef2.  However,
    the current way its coded doesn't work on parisc64.  For two reasons: 1)
    parisc isn't in the #ifdef and 2) parisc has a different format for
    function descriptors
    Make dereference_function_descriptor() more accommodating by allowing
    architecture overrides.  I put the three overrides (for parisc64, ppc64
    and ia64) in arch/kernel/module.c because that's where the kernel
    internal linker which knows how to deal with function descriptors sits.
    Signed-off-by: James Bottomley <>
    Acked-by: Benjamin Herrenschmidt <>
    Acked-by: Tony Luck <>
    Acked-by: Kyle McMartin <>
    Signed-off-by: Linus Torvalds <>
  13. MAINTAINERS: add Atheros maintainer for atlx

    Chris Snook committed with
    Jie Yang at Atheros is getting more directly involved with upstream work
    on the atl* drivers.  This patch changes the ATL1 entry to ATLX (atl2
    support posted to netdev today) and adds him as a maintainer.
    Signed-off-by: Linus Torvalds <>
  14. update Documentation/filesystems/Locking for 2.6.27 changes

    Christoph Hellwig committed with
    In the 2.6.27 circle ->fasync lost the BKL, and the last remaining
    ->open variant that takes the BKL is also gone.  ->get_sb and ->kill_sb
    didn't have BKL forever, so updated the entries while we're at that.
    Signed-off-by: Christoph Hellwig <>
    Signed-off-by: Linus Torvalds <>
  15. @herbertx @davem330

    ipsec: Restore larval states and socket policies in dump

    herbertx committed with davem330
    The commit commit 4c563f7 ("[XFRM]:
    Speed up xfrm_policy and xfrm_state walking") inadvertently removed
    larval states and socket policies from netlink dumps.  This patch
    restores them.
    Signed-off-by: Herbert Xu <>
    Signed-off-by: David S. Miller <>
  16. @oberpar

    [S390] cio: allow offline processing for disconnected devices

    oberpar committed with Martin Schwidefsky
    When disconnected ccw devices are removed, the device has to be set
    offline, otherwise there will be side effects including a reference
    count imbalance. This patch modifies ccw_device_offline to work for
    devices in disconnecte/not operational state. ccw_device_offline is
    called by cio for devices which are online during device removal.
    Signed-off-by: Peter Oberparleiter <>
    Signed-off-by: Martin Schwidefsky <>
  17. @cohuck

    [S390] cio: handle ssch() return codes correctly.

    cohuck committed with Martin Schwidefsky
    ssch() has two classes of return codes:
    - condition codes (0-3) which need to be translated to Linux
      error codes
    - Linux error codes (-EIO on exceptions) which should be passed
      to the caller (instead of erronously being handled like
      condition code 3)
    Signed-off-by: Cornelia Huck <>
    Signed-off-by: Martin Schwidefsky <>
  18. @cohuck

    [S390] cio: Correct cleanup on error.

    cohuck committed with Martin Schwidefsky
    Fix cleanup on error in chp_new() and init_channel_subsystem()
    (must not call kfree() on structures that had been registered).
    Signed-off-by: Cornelia Huck <>
    Signed-off-by: Martin Schwidefsky <>
  19. [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bi…

    Jarod Wilson committed with Martin Schwidefsky
    …t mode
    When running a 31-bit ptrace, on either an s390 or s390x kernel,
    reads and writes into a padding area in struct user_regs_struct32
    will result in a kernel panic.
    This is also known as CVE-2008-1514.
    Test case available here:
    Steps to reproduce:
    1) wget the above
    2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
    3) ./user-area-padding-31bit
    Test status
    Without patch, both s390 and s390x kernels panic. With patch, the test case,
    as well as the gdb testsuite, pass without incident, padding area reads
    returning zero, writes ignored.
    Nb: original version returned -EINVAL on write attempts, which broke the
    gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
    the change to return 0 on write attempts.
    Signed-off-by: Jarod Wilson <>
    Tested-by: Jan Kratochvil <>
    Signed-off-by: Martin Schwidefsky <>
  20. @davem330
  21. @holtmann

    [Bluetooth] Reject L2CAP connections on an insecure ACL link

    holtmann committed
    The Security Mode 4 of the Bluetooth 2.1 specification has strict
    authentication and encryption requirements. It is the initiators job
    to create a secure ACL link. However in case of malicious devices, the
    acceptor has to make sure that the ACL is encrypted before allowing
    any kind of L2CAP connection. The only exception here is the PSM 1 for
    the service discovery protocol, because that is allowed to run on an
    insecure ACL link.
    Previously it was enough to reject a L2CAP connection during the
    connection setup phase, but with Bluetooth 2.1 it is forbidden to
    do any L2CAP protocol exchange on an insecure link (except SDP).
    The new hci_conn_check_link_mode() function can be used to check the
    integrity of an ACL link. This functions also takes care of the cases
    where Security Mode 4 is disabled or one of the devices is based on
    an older specification.
    Signed-off-by: Marcel Holtmann <>
  22. @holtmann

    [Bluetooth] Enforce correct authentication requirements

    holtmann committed
    With the introduction of Security Mode 4 and Simple Pairing from the
    Bluetooth 2.1 specification it became mandatory that the initiator
    requires authentication and encryption before any L2CAP channel can
    be established. The only exception here is PSM 1 for the service
    discovery protocol (SDP). It is meant to be used without any encryption
    since it contains only public information. This is how Bluetooth 2.0
    and before handle connections on PSM 1.
    For Bluetooth 2.1 devices the pairing procedure differentiates between
    no bonding, general bonding and dedicated bonding. The L2CAP layer
    wrongly uses always general bonding when creating new connections, but it
    should not do this for SDP connections. In this case the authentication
    requirement should be no bonding and the just-works model should be used,
    but in case of non-SDP connection it is required to use general bonding.
    If the new connection requires man-in-the-middle (MITM) protection, it
    also first wrongly creates an unauthenticated link key and then later on
    requests an upgrade to an authenticated link key to provide full MITM
    protection. With Simple Pairing the link key generation is an expensive
    operation (compared to Bluetooth 2.0 and before) and doing this twice
    during a connection setup causes a noticeable delay when establishing
    a new connection. This should be avoided to not regress from the expected
    Bluetooth 2.0 connection times. The authentication requirements are known
    up-front and so enforce them.
    To fulfill these requirements the hci_connect() function has been extended
    with an authentication requirement parameter that will be stored inside
    the connection information and can be retrieved by userspace at any
    time. This allows the correct IO capabilities exchange and results in
    the expected behavior.
    Signed-off-by: Marcel Holtmann <>
  23. @holtmann

    [Bluetooth] Fix reference counting during ACL config stage

    holtmann committed
    The ACL config stage keeps holding a reference count on incoming
    connections when requesting the extended features. This results in
    keeping an ACL link up without any users. The problem here is that
    the Bluetooth specification doesn't define an ownership of the ACL
    link and thus it can happen that the implementation on the initiator
    side doesn't care about disconnecting unused links. In this case the
    acceptor needs to take care of this.
    Signed-off-by: Marcel Holtmann <>
  24. @davem330

    sparc64: Disable timer interrupts in fixup_irqs().

    davem330 committed
    When a CPU is offlined, we leave the timer interrupts disabled
    because fixup_irqs() does not explicitly take care of that case.
    Fix this by invoking tick_ops->disable_irq().
    Based upon analysis done by Paul E. McKenney.
    Signed-off-by: David S. Miller <>
Commits on Sep 8, 2008
  1. Merge branch 'master' of git://…

    * 'master' of git://
      avr32: pm_standby low-power ram bug fix
      avr32: Fix lockup after Java stack underflow in user mode
  2. Merge branch 'merge' of git://…

    * 'merge' of git://
      powerpc: Fix rare boot build breakage
      powerpc/spufs: Fix possible scheduling of a context to multiple SPEs
      powerpc/spufs: Fix race for a free SPU
      powerpc/spufs: Fix multiple get_spu_context()
  3. Merge git://

    * git://
      Revert "crypto: camellia - Use kernel-provided bitops, unaligned access helpers"
  4. Merge

      [ARM] 5241/1: provide ioremap_wc()
      [ARM] omap: fix virtual vs physical address space confusions
      [ARM] remove unused #include <version.h>
      [ARM] omap: fix build error in ohci-omap.c
      [ARM] omap: fix gpio.c build error
  5. Merge branch 'sched-fixes-for-linus' of git://…

    * 'sched-fixes-for-linus' of git://
      sched: arch_reinit_sched_domains() must destroy domains to force rebuild
      sched, cpuset: rework sched domains and CPU hotplug handling (v4)
  6. Merge branch 'upstream-linus' of git://…

    * 'upstream-linus' of git://
      ahci: RAID mode SATA patch for Intel Ibex Peak DeviceIDs
      pata_sil680: remove duplicate pcim_enable_device
      libata-sff: kill spurious WARN_ON() in ata_hsm_move()
      sata_nv: disable hardreset for generic
      ahci: disable PMP for marvell ahcis
      sata_mv: add RocketRaid 1720 PCI ID to driver
      ahci, pata_marvell: play nicely together
  7. Fix format of MAINTAINERS

    Uwe Kleine-König committed with
    ... one entry lacked a colon which broke one of my scripts.
    Signed-off-by: Uwe Kleine-König <>
    Signed-off-by: Linus Torvalds <>
  8. Merge git://

    * git://
      bridge: don't allow setting hello time to zero
      netns : fix kernel panic in timewait socket destruction
      pkt_sched: Fix qdisc state in net_tx_action()
      netfilter: nf_conntrack_irc: make sure string is terminated before calling simple_strtoul
      netfilter: nf_conntrack_gre: nf_ct_gre_keymap_flush() fixlet
      netfilter: nf_conntrack_gre: more locking around keymap list
      netfilter: nf_conntrack_sip: de-static helper pointers
  9. Merge git://

    * git://
      sparc64: Prevent sparc64 from invoking irq handlers on offline CPUs
      sparc64: Fix IPI call locking.
  10. @jwessel

    usb: fix null deferences in low level usb serial

    jwessel committed with
    The hw interface drivers for the usb serial devices deference the tty
    structure to set up the parameters for the initial console.  The tty
    structure should be passed as a parameter to the set_termios() call.
    Signed-off-by: Jason Wessel <>
    Signed-off-by: Alan Cox <>
    Signed-off-by: Linus Torvalds <>
  11. @chucklever

    NFS: Restore missing hunk in NFS mount option parser

    chucklever committed with
    Automounter maps can contain mount options valid for other NFS
    implementations but not for Linux.  The Linux automounter uses the
    mount command's "-s" command line option ("s" for "sloppy") so that
    mount requests containing such options are not rejected.
    Commit f45663c attempted to address a
    known regression with text-based NFS mount option parsing.  Unrecognized
    mount options would cause mount requests to fail, even if the "-s"
    option was used on the mount command line.
    Unfortunately, this commit was not complete as submitted.  It adds a
    new mount option, "sloppy".  But it is missing a hunk, so it now allows
    NFS mounts with unrecognized mount options, even if the "sloppy" option
    is not present.  This could be a problem if a required critical mount
    option such as "sync" is misspelled, for example, and is considered a
    regression from 2.6.26.
    This patch restores the missing hunk.  Now, the default behavior of
    text-based NFS mount options is as before: any unrecognized mount option
    will cause the mount to fail.
    Please include this in 2.6.27-rc.
    Thanks to Neil Brown for reporting this.
    Signed-off-by: Chuck Lever <>
    Acked-by: J. Bruce Fields <>
    Signed-off-by: Linus Torvalds <>
Something went wrong with that request. Please try again.