commit f9dadfa71bc594df09044da61d1c72701121d802 Author: Linus Torvalds Date: Wed Nov 1 10:05:35 2006 -0800 i386: write IO APIC irq routing entries in correct order Since the "mask" bit is in the low word, when we write a new entry, we need to write the high word first, before we potentially unmask it. The exception is when we actually want to mask the interrupt, in which case we want to write the low word first to make sure that the high word doesn't change while the interrupt routing is still active. Signed-off-by: Linus Torvalds commit 130fe05dbc0114609cfef9815c0c5580b42decfa Author: Linus Torvalds Date: Wed Nov 1 09:11:00 2006 -0800 i386: clean up io-apic accesses This is preparation for fixing the ordering of the accesses that got broken by the commit cf4c6a2f27f5db810b69dcb1da7f194489e8ff88 when factoring out the "common" io apic routing entry accesses. Move the accessor function (that were only used by io_apic.c) out of a header file, and use proper memory-mapped accesses rather than making up our own "volatile" pointers. Signed-off-by: Linus Torvalds commit 4b1c46a383aafc137bc91a0f9698bfc11e062d1b Merge: 30574b6... 4393c4f... Author: Linus Torvalds Date: Wed Nov 1 06:38:20 2006 -0800 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc: [POWERPC] Make alignment exception always check exception table [POWERPC] Disallow kprobes on emulate_step and branch_taken [POWERPC] Make mmiowb's io_sync preempt safe [POWERPC] Make high hugepage areas preempt safe [POWERPC] Make current preempt-safe [POWERPC] qe_lib: qe_issue_cmd writes wrong value to CECDR [POWERPC] Use 4kB iommu pages even on 64kB-page systems [POWERPC] Fix oprofile support for e500 in arch/powerpc [POWERPC] Fix rmb() for e500-based machines it [POWERPC] Fix various offb issues commit 30574b61611ccd29677989097f8c8a5d9a73d873 Merge: 0ca4323... c6446a4... Author: Linus Torvalds Date: Tue Oct 31 21:17:23 2006 -0800 Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev: [PATCH] ata_piix: allow 01b MAP for both ICH6M and ICH7M [PATCH] libata: unexport ata_dev_revalidate() [PATCH] Add 0x7110 piix to ata_piix.c [PATCH] sata_sis: fix flags handling for the secondary port commit 4393c4f6788cee65095dd838cfeca6edefbfeb52 Author: Benjamin Herrenschmidt Date: Wed Nov 1 15:11:39 2006 +1100 [POWERPC] Make alignment exception always check exception table The alignment exception used to only check the exception table for -EFAULT, not for other errors. That opens an oops window if we can coerce the kernel into getting an alignment exception for other reasons in what would normally be a user-protected accessor, which can be done via some of the futex ops. This fixes it by always checking the exception tables. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras commit 0d69a052d4d7c4085706b9ac0d1bd28ff90c9fca Author: Gui,Jian Date: Wed Nov 1 10:50:15 2006 +0800 [POWERPC] Disallow kprobes on emulate_step and branch_taken On powerpc, probing on emulate_step function will crash 2.6.18.1 when it is triggered. When kprobe is triggered, emulate_step() is on its kernel path and will cause recursive kprobe fault. And branch_taken() is called in emulate_step(). This disallows kprobes on both of them. Signed-off-by: Paul Mackerras commit 292f86f005e3867277b2126c2399eea3e773a4fc Author: Hugh Dickins Date: Tue Oct 31 18:41:51 2006 +0000 [POWERPC] Make mmiowb's io_sync preempt safe If mmiowb() is always used prior to releasing spinlock as Doc suggests, then it's safe against preemption; but I'm not convinced that's always the case. If preemption occurs between sync and get_paca()->io_sync = 0, I believe there's no problem. But in the unlikely event that gcc does the store relative to another register than r13 (as it did with current), then there's a small danger of setting another cpu's io_sync to 0, after it had just set it to 1. Rewrite ppc64 mmiowb to prevent that. The remaining io_sync assignments in io.h all get_paca()->io_sync = 1, which is harmless even if preempted to the wrong cpu (the context switch itself syncs); and those in spinlock.h are while preemption is disabled. Signed-off-by: Hugh Dickins Signed-off-by: Paul Mackerras commit 96268889ee369b36203b7a06e8aabb197270216e Author: Hugh Dickins Date: Tue Oct 31 18:40:39 2006 +0000 [POWERPC] Make high hugepage areas preempt safe Checking source for other get_paca()->field preemption dangers found that open_high_hpage_areas does a structure copy into its paca while preemption is enabled: unsafe however gcc accomplishes it. Just remove that copy: it's done safely afterwards by on_each_cpu, as in open_low_hpage_areas. Signed-off-by: Hugh Dickins Acked-by: David Gibson Signed-off-by: Paul Mackerras commit 5fe8e8b88e68e517637e3f8287f1fee89e2d9252 Author: Hugh Dickins Date: Tue Oct 31 18:39:31 2006 +0000 [POWERPC] Make current preempt-safe Repeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel would often collapse within a day, some exec failing with "Bad address". In each case examined, load_elf_binary was doing a kernel_read, but generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS instead of KERNEL_DS. objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)" here for get_paca()->__current, instead of the expected and much more usual "ld r9,416(r13)"; I've seen other gcc4s do the same, but perhaps not gcc3s. So, if the task is preempted and rescheduled on a different cpu in between the mr and the ld, r5 will be looking at a different paca_struct from the one it's now on, pick up the wrong __current, and perhaps the wrong seg. Presumably much worse could happen elsewhere, though that split is rare. Other architectures appear to be safe (x86_64's read_pda is more limiting than get_paca), but ppc64 needs to force "current" into one instruction. Signed-off-by: Hugh Dickins Signed-off-by: Paul Mackerras commit 302439d2167e0f1e01a6480ac40c06063f4e16a1 Author: Timur Tabi Date: Tue Oct 31 17:53:42 2006 +0800 [POWERPC] qe_lib: qe_issue_cmd writes wrong value to CECDR Changed qe_issue_cmd() to write cmd_input to the CECDR unmodified. It was treating cmd_input as a virtual address and tried to convert it to a physical address. Signed-off-by: Timur Tabi Signed-off-by: Paul Mackerras commit 5d2efba64b231a1733c4048d1708d77e07f26426 Author: Linas Vepstas Date: Mon Oct 30 16:15:59 2006 +1100 [POWERPC] Use 4kB iommu pages even on 64kB-page systems The 10Gigabit ethernet device drivers appear to be able to chew up all 256MB of TCE mappings on pSeries systems, as evidenced by numerous error messages: iommu_alloc failed, tbl c0000000010d5c48 vaddr c0000000d875eff0 npages 1 Some experimentation indicates that this is essentially because one 1500 byte ethernet MTU gets mapped as a 64K DMA region when the large 64K pages are enabled. Thus, it doesn't take much to exhaust all of the available DMA mappings for a high-speed card. This patch changes the iommu allocator to work with its own unique, distinct page size. Although the patch is long, its actually quite simple: it just #defines a distinct IOMMU_PAGE_SIZE and then uses this in all the places that matter. As a side effect, it also dramatically improves network performance on platforms with H-calls on iommu translation inserts/removes (since we no longer call it 16 times for a 1500 bytes packet when the iommu HW is still 4k). In the future, we might want to make the IOMMU_PAGE_SIZE a variable in the iommu_table instance, thus allowing support for different HW page sizes in the iommu itself. Signed-off-by: Linas Vepstas Signed-off-by: Benjamin Herrenschmidt Acked-by: Olof Johansson Acked-by: Stephen Rothwell Signed-off-by: Paul Mackerras commit dd6c89f686bdb2a5de72fab636fc839e5a0add6d Author: Andy Fleming Date: Fri Oct 27 15:06:32 2006 -0500 [POWERPC] Fix oprofile support for e500 in arch/powerpc Fixed a compile error in building the 85xx support with oprofile, and in the process cleaned up some issues with the fsl_booke performance monitor code. * Reorganized FSL Book-E performance monitoring code so that the 7450 wouldn't be built if the e500 was, and cleaned it up so it was more self-contained. * Added a cpu_setup function for FSL Book-E. The original cpu_setup function prototype had no arguments, assuming that the reg_setup function would copy the required information into variables which represented the registers. This was silly for e500, since it has 1 register per counter (rather than 3 for all counters), so the code has been restructured to have cpu_setup take the current counter config array as an argument, with op_powerpc_setup() invoking op_powerpc_cpu_setup() through on_each_cpu(), and op_powerpc_cpu_setup() invoking the model-specific cpu_setup function with an argument. The argument is ignored on all other platforms at present. * Fixed a confusing line where a trinary operator only had two arguments Signed-off-by: Andrew Fleming Signed-off-by: Paul Mackerras commit e0da0daee14862e0a5c49f2059641a8deb27eca2 Author: Andy Fleming Date: Fri Oct 27 14:31:07 2006 -0500 [POWERPC] Fix rmb() for e500-based machines it The e500 core generates an illegal instruction exception when it tries to execute the lwsync instruction, which we currently use for rmb(). This fixes it by using the LWSYNC macro, which turns into a plain sync on 32-bit machines. Signed-off-by: Andrew Fleming Signed-off-by: Paul Mackerras commit 441cbd8dace80545db2ac43175ac1c097d96f75c Author: Benjamin Herrenschmidt Date: Thu Oct 26 15:38:10 2006 +1000 [POWERPC] Fix various offb issues This patch fixes a few issues in offb: - A test was inverted causing the palette hack to never work (no device node was passed down to the init function) - Some cards seem to have their assigned-addresses property in a random order, thus we need to try using of_get_pci_address() first, which will fail if it's not a PCI device, and fallback to of_get_address() in that case. of_get_pci_address() properly parsees assigned-addresses to test the BAR number and thus will get it right whatever the order is. - Some cards (like GXT4500) provide a linebytes of 0xffffffff in the device-tree which does no good. This patch handles that by using the screen width when that happens. (Also fixes btext.c while at it). - Add detection of the GXT4500 in addition to the GXT2000 for the palette hacks (we use the same hack, palette is linear in register space at offset 0x6000). Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras commit c6446a4cdadaf411bafe1565e9fa7666f3c2fe95 Author: Tejun Heo Date: Mon Oct 9 13:23:58 2006 +0900 [PATCH] ata_piix: allow 01b MAP for both ICH6M and ICH7M ICH7M was separated from ICH6M to allow undocumented MAP value 01b which was spotted on an ASUS notebook. However, there is also notebooks with MAP value 01b on ICH6M. This patch re-merges ICH6M and ICH7M entries and allows MAP value 01b for both. This problem has been reported and initial patch provided by Jonathan Dieter. Signed-off-by: Tejun Heo Cc: Jonathan Dieter Cc: Tom Deblauwe Signed-off-by: Jeff Garzik commit 6e42acc4115bc376b8523acbcba2b2b7cc27d016 Author: Tejun Heo Date: Fri Oct 27 19:08:42 2006 -0700 [PATCH] libata: unexport ata_dev_revalidate() ata_dev_revalidate() isn't used outside of libata core. Unexport it. Signed-off-by: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik commit f833229c96c0bf53c05995e4bd58709d9e9edd67 Author: Jens Axboe Date: Tue Oct 31 09:31:37 2006 +0100 [PATCH] Add 0x7110 piix to ata_piix.c Hi Jeff, I tested the PATA support on my old VAIO notebook, and it failed to find my piix device: 00:07.1 Class 0101: 8086:7111 (rev 01) (prog-if 80 [Master]) Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- Signed-off-by: Jeff Garzik commit cf0e812f0e90ee496af072b136e8bd02770387e6 Author: Tejun Heo Date: Fri Oct 27 19:08:47 2006 -0700 [PATCH] sata_sis: fix flags handling for the secondary port sis_init_one() modifies probe_ent->port_flags after allocating and initializing it using ata_pci_init_native_mode(). This makes port_flags for the secondary port (probe_ent->pinfo2->flags) go out of sync resulting in misdetection of device due to incorrectly initialized SCR access flag. This patch make probe_ent alloc/init happen after the final port flags value is determined. This is fragile but probe_ent and all the related mess are scheduled to go away soon for exactly this reason. We just need to hold everything together till then. This has been spotted and diagnosed and tested by Patrick McHardy. Signed-off-by: Tejun Heo Cc: Patric McHardy Cc: Jeff Garzik Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik commit 0ca43235b34c92278fa903297acef37198ec3e26 Author: Stephen Hemminger Date: Wed Oct 18 13:39:28 2006 -0700 [PATCH] sky2: netpoll on dual port cards The sky2 driver uses a single NAPI poll routine for both ports on dual ported cards (because there is a single IRQ and status ring). Netpoll makes assumptions about the relationship between network device and NAPI that aren't correct on the second port, this will cause the port to never clear work. Most systems, just have single port, so not a big issue. The easy fix is just make the second port, not netpoll capable. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik commit 798b6b19d7a4b6e1ea5340ec8b3b92811e05b81b Author: Stephen Hemminger Date: Sun Oct 22 20:16:57 2006 -0700 [PATCH] skge, sky2, et all. gplv2 only I don't want my code to downgraded to GPLv3 because of cut-n-pasted the comments. These files which I hold copyright on were started before it was clear what GPLv3 was going to be. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik commit 2ceaac755423cb93c1bb2f59ebd1a06f027ac095 Author: David Rientjes Date: Mon Oct 30 14:19:25 2006 -0800 [PATCH] net s2io: return on NULL dev_alloc_skb() Checks for NULL dev_alloc_skb() and returns on true to avoid subsequent dereference. Cc: Jeff Garzik Cc: Christoph Hellwig Signed-off-by: David Rientjes Signed-off-by: Jeff Garzik commit 1e1675ccf758cbb4303ab052d58405cda6c745a7 Author: Jan-Bernd Themann Date: Wed Oct 25 13:11:42 2006 +0200 [PATCH] ehea: kzalloc GFP_ATOMIC fix This patch fixes kzalloc parameters (GFP_ATOMIC instead of GFP_KERNEL) Signed-off-by: Jan-Bernd Themann Signed-off-by: Jeff Garzik commit 1e7bed081968c42469bd02842b4190a115008221 Author: Brice Goglin Date: Thu Oct 26 22:51:33 2006 +0200 [PATCH] myri10ge: ServerWorks HT2000 PCI id is already defined in pci_ids.h No need to keep defining PCI_DEVICE_ID_SERVERWORKS_HT2000_PCIE in the driver code since it is now defined in pci_ids.h. Signed-off-by: Brice Goglin Signed-off-by: Jeff Garzik commit f479b322a0949d540b45aea645793058b0c50be5 Author: Stephen Hemminger Date: Fri Oct 27 10:22:10 2006 -0700 [PATCH] sky2: not experimental The sky2 driver is no longer in experimental state. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik commit 09669585b5d0cfdebe28250d442693b3baac66a2 Author: Akinobu Mita Date: Sun Oct 29 03:47:12 2006 +0900 [PATCH] n2: fix confusing error code modprobe n2 with no parameters or no such devices will get confusing error message. # modprobe n2 ... Kernel does not have module support This patch replaces return code from -ENOSYS to -EINVAL. Cc: Jeff Garzik Cc: Krzysztof Halasa Signed-off-by: Akinobu Mita drivers/net/wan/n2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Signed-off-by: Jeff Garzik commit 9d4df9e0fadfc84cd826e0f7e946691b4d7baee5 Author: Akinobu Mita Date: Sun Oct 29 03:52:14 2006 +0900 [PATCH] tokenring: fix module_init error handling - Call platform_driver_unregister() before return when no cards found. (fixes data corruption when no cards found) - Check platform_device_register_simple() return value Cc: Jeff Garzik Cc: Mike Phillips Signed-off-by: Akinobu Mita drivers/net/tokenring/proteon.c | 9 +++++++-- drivers/net/tokenring/skisa.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) Signed-off-by: Jeff Garzik commit 06f0015ace46ce9d313ec02d6b13c47c8e795a6c Author: Lennert Buytenhek Date: Mon Oct 30 19:54:08 2006 +0100 [PATCH] ep93xx_eth: don't report RX errors Flooding the console with error messages for every RX FIFO overrun, checksum error and framing error isn't very sensible. Each of these errors can occur during normal operation, so stop printk'ing error messages for RX errors at all. Signed-off-by: Lennert Buytenhek Signed-off-by: Jeff Garzik commit 79c356f44b26da9fe357ed1a11e7faec4fd94e13 Author: Lennert Buytenhek Date: Mon Oct 30 19:52:54 2006 +0100 [PATCH] ep93xx_eth: fix unlikely(x) > y test Fix unlikely(x) > y test in ep93xx_eth. Signed-off-by: Lennert Buytenhek Signed-off-by: Jeff Garzik commit 2d38caba5fd148976f54930782e8209fa45879a0 Author: Lennert Buytenhek Date: Mon Oct 30 19:52:31 2006 +0100 [PATCH] ep93xx_eth: fix RX/TXstatus ring full handling Ray Lehtiniemi reported that an incoming UDP packet flood can lock up the ep93xx ethernet driver. Herbert Valerio Riedel noted that due to the way ep93xx_eth manages the RX/TXstatus rings, it cannot distinguish a full ring from an empty one, and correctly suggested that this was likely to be causing this lockup to occur. Instead of looking at the hardware's RX/TXstatus ring write pointers to determine when to stop reading from those rings, we should just check every individual RX/TXstatus descriptor's valid bit instead, since there is no other way to distinguish an empty ring from a full ring, and if there is a descriptor waiting, we take the hit of reading the descriptor from memory anyway. Signed-off-by: Lennert Buytenhek Signed-off-by: Jeff Garzik commit d5b9b787b5e1618dfe82a2c2a6972374e85b02db Merge: 16b7b2a... 024e4f2... Author: Linus Torvalds Date: Tue Oct 31 17:03:50 2006 -0800 Merge branch 'release' of master.kernel.org:/pub/scm/linux/kernel/git/aegl/linux-2.6 * 'release' of master.kernel.org:/pub/scm/linux/kernel/git/aegl/linux-2.6: [IA64] Correct definition of handle_IPI [IA64] move SAL_CACHE_FLUSH check later in boot [IA64] MCA recovery: Montecito support [IA64] cpu-hotplug: Fixing confliction between CPU hot-add and IPI [IA64] don't double >> PAGE_SHIFT pointer for /dev/kmem access commit 024e4f2c5175a482c234cf67ed22368d770bf78f Author: Keith Owens Date: Wed Oct 18 15:36:49 2006 +1000 [IA64] Correct definition of handle_IPI The declaration of handle_IPI in arch/ia64/kernel/smp.c was changed but not the definition of this function. Remove struct pt_regs from handle_IPI(). Signed-off-by: Keith Owens Signed-off-by: Tony Luck commit fa1d19e5d9a94120f31e5783ab44758f46892d94 Author: Troy Heber Date: Wed Oct 25 14:46:15 2006 -0600 [IA64] move SAL_CACHE_FLUSH check later in boot The check to see if the firmware drops interrupts during a SAL_CACHE_FLUSH is done to early in the boot. SAL_CACHE_FLUSH expects to be able to make PAL calls in virtual mode, on some cell based machines a fault occurs causing a MCA. This patch moves the check after mmu_context_init so the TLB and VHPT are properly setup. Signed-off-by Troy Heber Signed-off-by: Tony Luck commit 264b0f99308436deaee38bab99e586612d012fc1 Author: Russ Anderson Date: Wed Oct 25 17:59:47 2006 -0500 [IA64] MCA recovery: Montecito support The information in MCA records is filled in slightly differently on Montecito than on Madison/McKinley. Usually, the cache check and bus check target identifiers have the same address. On Montecito the cache check and bus check target identifiers can be different if a corrected error (ie SBE or unconsumed poison data) was encountered and then an uncorrected error (ie DBE) was consumed. In that case, the cache check target identifier is the physical address of the DBE (that caused the MCA to surface) while the bus check target identifier is the physical address of the SBE. This patch correctly finds the target identifier that triggered the MCA. If there are multiple valid cache target identifiers in the same error record then use the one with the lowest cache level. Signed-off-by: Russ Anderson (rja@sgi.com) Signed-off-by: Tony Luck commit 5ee7737379b1d7f0c977c0f1661fbaf01a8d4721 Author: Kenji Kaneshige Date: Fri Oct 27 19:49:53 2006 +0900 [IA64] cpu-hotplug: Fixing confliction between CPU hot-add and IPI Signed-off-by: Kenji Kaneshige Acked-by: Satoru Takeuchi Acked-by: KAMEZAWA Hiroyuki Signed-off-by: Tony Luck commit 16b7b2ac0148e839da86af8747b6fa4aad43a9b7 Author: Atsushi Nemoto Date: Tue Oct 24 00:21:27 2006 +0900 [MIPS] Fixup migration to GENERIC_TIME Since we already moved to GENERIC_TIME, we should implement alternatives of old do_gettimeoffset routines to get sub-jiffies resolution from gettimeofday(). This patch includes: * MIPS clocksource support (based on works by Manish Lachwani). * remove unused gettimeoffset routines and related codes. * remove unised 64bit do_div64_32(). * simplify mips_hpt_init. (no argument needed, __init tag) * simplify c0_hpt_timer_init. (no need to write to c0_count) * remove some hpt_init routines. * mips_hpt_mask variable to specify bitmask of hpt value. * convert jmr3927_do_gettimeoffset to jmr3927_hpt_read. * convert ip27_do_gettimeoffset to ip27_hpt_read. * convert bcm1480_do_gettimeoffset to bcm1480_hpt_read. * simplify sb1250 hpt functions. (no need to subtract and shift) Signed-off-by: Atsushi Nemoto Signed-off-by: Ralf Baechle commit 70e46f48cb5933119712ee27945309a4bfc98282 Author: Ralf Baechle Date: Tue Oct 31 18:33:09 2006 +0000 [MIPS] VSMP: Synchronize cp0 counters on bootup. Signed-off-by: Ralf Baechle commit e79f55a8c7aaae5a33e8c2b29682ec8e603b5434 Author: Ralf Baechle Date: Tue Oct 31 19:53:15 2006 +0000 [MIPS] Flags must be unsigned long. Signed-off-by: Ralf Baechle commit 781b0f8d4f9c90137ea32771346ab49f0e5319b3 Author: Ralf Baechle Date: Tue Oct 31 18:25:10 2006 +0000 [MIPS] VSMP: Fix initialization ordering bug. Signed-off-by: Ralf Baechle commit 3ab0f40f333007eb31dc1e08f578ec224c7d71c2 Author: Yoichi Yuasa Date: Tue Oct 31 13:44:38 2006 +0900 [MIPS] Fix warning of printk format in mips_srs_init() arch/mips/kernel/traps.c:1115: warning: int format, long unsigned int arg (arg 2) Signed-off-by: Yoichi Yuasa Signed-off-by: Ralf Baechle commit 38384c8bd82474bf74ea68e4e44aaa14504deb07 Author: Yoichi Yuasa Date: Tue Oct 31 13:38:44 2006 +0900 [MIPS] Yosemite: fix uninitialized variable in titan_i2c_xfer() Signed-off-by: Yoichi Yuasa Signed-off-by: Ralf Baechle commit c21e6d65f70d64b359a37545592f39e28074864e Author: Ralf Baechle Date: Tue Oct 31 13:41:59 2006 +0000 [MIPS] Sort out missuse of __init for prom_getcmdline() Signed-off-by: Ralf Baechle commit e8f05de54055e90e6d58e45866f84ecdb0b48acd Author: Manish Lachwani Date: Sat Jan 22 09:23:38 2005 -0800 [MIPS] Add missing file for support of backplane on TX4927 based board Signed-off-by: Manish Lachwani Signed-off-by: Ralf Baechle commit 0887fa5158fe7da4a46ae526d313ae636440deae Author: Ralf Baechle Date: Tue Oct 31 11:52:03 2006 +0000 [MIPS] TX4927: Remove indent error message that somehow ended in the code. Signed-off-by: Ralf Baechle commit 80fc115d461031dc66bb7f31b8c84868e370fea6 Author: Randy Dunlap Date: Mon Oct 30 20:41:11 2006 -0800 [PATCH] SCSI: ISCSI build failure SCSI_QLA_ISCSI needs to depend on NET to prevent build (link) failures that are caused by selecting SCSI_ISCSI_ATTRS. Signed-off-by: Randy Dunlap Signed-off-by: Linus Torvalds commit 5fccbf61be2a7f32d2002b04afca4c5009612a58 Author: Jens Axboe Date: Tue Oct 31 14:21:55 2006 +0100 [PATCH] CFQ: request <-> request merging rr_list fixup In very rare circumstances would we be pruning a merged request and at the same time delete the implicated cfqq from the rr_list, and not readd it when the merged request got added. This could cause io stalls until that process issued io again. Fix it up by putting the rr_list add handling into cfq_add_rq_rb(), identical to how pruning is handled in cfq_del_rq_rb(). This fixes a hang reproducible with fsx-linux. Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds commit eafa6cb18ec7e5424ce54017b5ce6d11dff58b79 Merge: 612b322... 4731f2d... Author: Linus Torvalds Date: Tue Oct 31 08:10:03 2006 -0800 Merge master.kernel.org:/pub/scm/linux/kernel/git/lethal/sh-2.6 * master.kernel.org:/pub/scm/linux/kernel/git/lethal/sh-2.6: sh: Titan defconfig update. sh: Fix IPR-IRQ's for IRQ-chip change breakage. sh: Update r7780rp_defconfig. video: Fix include in hp680_bl. sh: Wire up new syscalls. commit 612b322ade7954a1d984fa410a70d4ae50f75c0d Merge: d2c59a2... 1b7c2db... Author: Linus Torvalds Date: Tue Oct 31 08:08:31 2006 -0800 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [IPV6]: fix flowlabel seqfile handling [IPV6]: return EINVAL for invalid address with flowlabel lease request [SCTP]: Remove temporary associations from backlog and hash. [SCTP]: Correctly set IP id for SCTP traffic [NetLabel]: protect the CIPSOv4 socket option from setsockopt() [NETFILTER]: ip_tables: compat code module refcounting fix [NETFILTER]: nf_conntrack: add missing unlock in get_next_corpse() [NETFILTER]: ip_tables: compat error way cleanup [NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables [NETFILTER]: remove masq/NAT from ip6tables Kconfig help [IPV6]: fix lockup via /proc/net/ip6_flowlabel [NET]: fix uaccess handling [SCTP]: Always linearise packet on input [ETH1394]: Fix unaligned accesses. [DCCP]: fix printk format warnings [NET]: Fix segmentation of linear packets [XFRM] xfrm_user: Fix unaligned accesses. [APPLETALK]: Fix potential OOPS in atalk_sendmsg(). [NET] sealevel: uses arp_broken_ops commit d2c59a22dd7c0a59dfff60a8e9910f76f308b9f2 Merge: 5ddfe96... 5af47db... Author: Linus Torvalds Date: Tue Oct 31 08:08:06 2006 -0800 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6 * master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6: [SPARC64]: Add some missing print_symbol() calls. [SPARC64]: Fix Tomatillo/Schizo IRQ handling. commit 5ddfe9691c91a244e8d1be597b6428fcefd58103 Author: NeilBrown Date: Mon Oct 30 22:07:21 2006 -0800 [PATCH] md: check bio address after mapping through partitions. Partitions are not limited to live within a device. So we should range check after partition mapping. Note that 'maxsector' was being used for two different things. I have split off the second usage into 'old_sector' so that maxsector can be still be used for it's primary usage later in the function. Cc: Jens Axboe Signed-off-by: Neil Brown Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 45ec4ababe999cb95f9c0cad03b2689cb0b77a2b Author: Michael Halcrow Date: Mon Oct 30 22:07:20 2006 -0800 [PATCH] eCryptfs: Fix handling of lower d_count Fix the use of dget/dput calls to balance out on the lower filesystem. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 316bb95e8ed0ddcd767e8aa54264b6c6190f150c Author: Michael Halcrow Date: Mon Oct 30 22:07:20 2006 -0800 [PATCH] eCryptfs: Remove ecryptfs_umount_begin There is no point to calling the lower umount_begin when the eCryptfs umount_begin is called. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 7ff1d74f5670329ac4b5959a675f8698ba95be20 Author: Michael Halcrow Date: Mon Oct 30 22:07:19 2006 -0800 [PATCH] eCryptfs: Consolidate lower dentry_open's Opens on lower dentry objects happen in several places in eCryptfs, and they all involve the same steps (dget, mntget, dentry_open). This patch consolidates the lower open events into a single function call. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8bba066f4e3854755a303cee37ea37bd080a46b3 Author: Michael Halcrow Date: Mon Oct 30 22:07:18 2006 -0800 [PATCH] eCryptfs: Cipher code to new crypto API Update cipher block encryption code to the new crypto API. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 565d9724b8ce49b530287de34aa17f45f21624d5 Author: Michael Halcrow Date: Mon Oct 30 22:07:17 2006 -0800 [PATCH] eCryptfs: Hash code to new crypto API Update eCryptfs hash code to the new kernel crypto API. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e5d9cbde6ce0001e49994df5fcdcbeff8be8037b Author: Michael Halcrow Date: Mon Oct 30 22:07:16 2006 -0800 [PATCH] eCryptfs: Clean up crypto initialization Clean up the crypto initialization code; let the crypto API take care of the key size checks. Signed-off-by: Michael Halcrow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 4a279ff1ea1cf325775ada983035123fcdc8e986 Author: Oleg Nesterov Date: Mon Oct 30 22:07:15 2006 -0800 [PATCH] taskstats: fix sub-threads accounting If there are no listeners, taskstats_exit_send() just returns because taskstats_exit_alloc() didn't allocate *tidstats. This is wrong, each sub-thread should do fill_tgid_exit() on exit, otherwise its ->delays is not recorded in ->signal->stats and lost. Q: We don't send TASKSTATS_TYPE_AGGR_TGID when single-threaded process exits. Is it good? How can the listener figure out that it was actually a process exit, not sub-thread? Signed-off-by: Oleg Nesterov Cc: Balbir Singh Acked-by: Shailabh Nagar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 525fdb6cc929b515ad7e0be40fd023cff8660ed8 Author: Jeff Dike Date: Mon Oct 30 22:07:14 2006 -0800 [PATCH] uml: add INITCALLS This is the UML piece of the INITCALLS tidying. Signed-off-by: Jeff Dike Cc: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d1480c56feb2a894fd47fb399999a5b320c3e103 Author: Jeff Dike Date: Mon Oct 30 22:07:13 2006 -0800 [PATCH] uml: add _text definition to linker scripts kallsyms now refers to addresses as '_text + 0xADDRESS', rather than just '0xADDRESS', so we need to define _text. Signed-off-by: Jeff Dike Cc: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d8d7c28ec0b50ac57ddc909ae6eca1519473f300 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:12 2006 -0800 [PATCH] uml ubd driver: various little changes Fix a small memory leak in ubd_config, and clearify the confusion which lead to it. Then, some little changes not affecting operations - * move init functions together, * add a comment about a potential problem in case of some evolution in the block layer, * mark all initcalls as static __init functions * mark an used once little function as inline * document that mconsole methods are all called in process context (was triggered when checking ubd mconsole methods). Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0bf16bffeef65622603af22151156807323d7dc7 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:11 2006 -0800 [PATCH] uml ubd driver: do not store error codes as ->fd To simplify error handling, make sure fd is saved into ubd_dev->fd only when we are sure it is an fd and not an error code. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 84e945e399ce9710a34035ea81eaf5719aa709af Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:10 2006 -0800 [PATCH] uml ubd driver: use bitfields where possible Use bitfields for boolean fields in ubd data structure. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e7f6552f237498c805af9f01aba168b731e0a4ce Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:09 2006 -0800 [PATCH] uml ubd driver: reformat ubd_config Pure whitespace and style fixes split out from subsequent patch. Some changes (err -> ret) don't make sense now, only later, but I split them out anyway since they cluttered the patch. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2fe30a34a141c2188ff2cdd670d031088d9c5d20 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:09 2006 -0800 [PATCH] uml ubd driver: convert do_ubd to a boolean variable do_ubd is actually just a boolean variable - the way it is used currently is a leftover from the old 2.4 block layer, but it is still used; its use is suspicious, but removing it would be too intrusive for now and needs more thinking. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 33f775eea185e8df7701c4afc2c8fcee85c83282 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:08 2006 -0800 [PATCH] uml ubd driver: ubd_io_lock usage fixup Add some comments about requirements for ubd_io_lock and expand its use. When an irq signals that the "controller" (i.e. another thread on the host, which does the actual requests and is the only one blocked on I/O on the host) has done some work, we call again the request function ourselves (do_ubd_request). We now do that with ubd_io_lock held - that's useful to protect against concurrent calls to elv_next_request and so on. XXX: Maybe we shouldn't call at all the request function. Input needed on this. Are we supposed to plug and unplug the queue? That code "indirectly" does that by setting a flag, called do_ubd, which makes the request function return (it's a residual of 2.4 block layer interface). Meanwhile, however, merge this patch, which improves things. Cc: Jens Axboe Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d7fb2c3865ca0f95d92e2864c3dc9220789d83f5 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:07 2006 -0800 [PATCH] uml ubd driver: change ubd_lock to be a mutex This lock protects ubd setup and teardown, so is only used in process context; beyond that, during such setup memory allocations must be performed and some generic functions which can sleep must be called (such as add_disk()). So the only correct solution is to make it a mutex instead of a spin_lock. No other change is done - this lock must be acquired in different places but it's done afterwards. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 5f75a4f887a35b99878fc07ed749a90375194b63 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:06 2006 -0800 [PATCH] uml ubd driver: give better names to some functions. To rethink locking, I needed to understand well what each function does. While doing this I renamed some: * ubd_close -> ubd_close_dev (since it pairs with ubd_open_dev) * ubd_new_disk -> ubd_disk_register (it handles registration with the block layer - one hopes this makes clearer the difference with ubd_add()) Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 7d314e346d6081e8013a96206e601a48528d8f60 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:05 2006 -0800 [PATCH] uml ubd driver: var renames Rename the ubd_dev array to ubd_devs and then call any "struct ubd" ubd_dev instead of dev, which doesn't make clear what we're treating (and no, it's not hungarian notation - not any more than calling all vm_area_struct vma or all inodes inode). Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2a9d32f682b2b4928dcd4680bc99e98a3d096816 Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:04 2006 -0800 [PATCH] uml ubd driver: document some struct fields Add documentation about some fields in struct ubd, whose meaning is non-obvious due to struct names (should change names altogether, I agree). Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 97d88ac83540f9ba9536326c30db4815c5b9169b Author: Paolo 'Blaisorblade' Giarrusso Date: Mon Oct 30 22:07:03 2006 -0800 [PATCH] uml ubd driver: allow using up to 16 UBD devices With 256 minors and 16 minors used per each UBD device, we can allow the use of up to 16 UBD devices per UML. Also chnage parse_unit and leave to the caller (which already do it) the check for excess numbers, since this is just supposed to do raw parsing. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 36a561d6a95c4b89ae4845bf91456b4f784b6eec Author: Andrew Morton Date: Mon Oct 30 22:07:03 2006 -0800 [PATCH] find_bd_holder() fix fs/block_dev.c: In function 'find_bd_holder': fs/block_dev.c:666: warning: return makes integer from pointer without a cast fs/block_dev.c:669: warning: return makes integer from pointer without a cast fs/block_dev.c: In function 'add_bd_holder': fs/block_dev.c:685: warning: unused variable 'tmp' fs/block_dev.c: In function 'bd_claim_by_kobject': fs/block_dev.c:773: warning: assignment makes pointer from integer without a cast Acked-by: Jun'ichi Nomura Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 1b7c2dbc07bf0663a41e3dc838992930019f08fd Author: James Morris Date: Tue Oct 31 00:43:44 2006 -0800 [IPV6]: fix flowlabel seqfile handling There's a bug in the seqfile show operation for flowlabel objects, where each hash chain is traversed cumulatively for each element. The following function is called for each element of each chain: static void ip6fl_fl_seq_show(struct seq_file *seq, struct ip6_flowlabel *fl) { while(fl) { seq_printf... fl = fl->next; } } Thus, objects can appear mutliple times when reading /proc/net/ip6_flowlabel, as the above is called for each element in the chain. The solution is to remove the while() loop from the above, and traverse each chain exactly once, per the patch below. This also removes the ip6fl_fl_seq_show() function, which does nothing else. Signed-off-by: James Morris Signed-off-by: David S. Miller commit 4731f2dfd5049b7a2b3b5a7131525f6151855f0d Author: Jamie Lenehan Date: Tue Oct 31 12:36:35 2006 +0900 sh: Titan defconfig update. Small defconfig update for titan for 2.6.19-rc3, adding SH-RTC. Signed-off-by: Jamie Lenehan Signed-off-by: Paul Mundt commit bd71ab88deab3358241f22ed6c035c427aacc4e7 Author: Jamie Lenehan Date: Tue Oct 31 12:35:02 2006 +0900 sh: Fix IPR-IRQ's for IRQ-chip change breakage. The conversion from IPR-IRQ to IRQ-chip resulted in the ipr data being allocated in a local variable in make_ipr_irq - breaking anything using IPR interrupts. This changes all of the callers of make_ipr_irq to allocate a static structure containing the IPR data which is then passed to make_ipr_irq. This removes the need for make_ipr_irq to allocate any additional space for the IPR information. Signed-off-by: Jamie Lenehan Signed-off-by: Paul Mundt commit 1f6c526c409ed7ecdd02469c46ab4b4a50ebec45 Author: Paul Mundt Date: Tue Oct 31 12:33:30 2006 +0900 sh: Update r7780rp_defconfig. Small defconfig updates for R7780RP, enabling SH-RTC. Signed-off-by: Paul Mundt commit 1aea7e00f6b83d32d359aeb8d670f1f7aaa88d55 Author: Kristoffer Ericson Date: Tue Oct 31 11:47:27 2006 +0900 video: Fix include in hp680_bl. The hp6xx.h header moved location, causing the build to fail, fix it up. Signed-off-by: Kristoffer Ericson Signed-off-by: Paul Mundt commit 6887d83d6a537b5002edff7efa1a7c600af0ce26 Author: Paul Mundt Date: Tue Oct 31 11:44:25 2006 +0900 sh: Wire up new syscalls. This wires up sys_move_pages, sys_getcpu, and sys_epoll_pwait. Signed-off-by: Paul Mundt commit 5af47db796cb7e06e9bafb0d75ad98693b55f8b6 Author: David S. Miller Date: Mon Oct 30 01:10:20 2006 -0800 [SPARC64]: Add some missing print_symbol() calls. Signed-off-by: David S. Miller commit 9001f2850ff92b52d7654379e7b7feb72f78f161 Author: David S. Miller Date: Sun Oct 29 16:32:31 2006 -0800 [SPARC64]: Fix Tomatillo/Schizo IRQ handling. The code in schizo_irq_trans_init() should set irq_data->sync_reg to the location of the SYNC register if this is Tomatillo, and set it to zero otherwise. But that is not what it is doing. As a result, non-Tomatillo systems were trying to access a non-existent register resulting in bus errors at the first PCI interrupt. Thanks to Roland Stigge for the bug report. Signed-off-by: David S. Miller commit c6817e4c32d8c4118405d2dec30ac1c264349085 Author: James Morris Date: Mon Oct 30 18:56:06 2006 -0800 [IPV6]: return EINVAL for invalid address with flowlabel lease request Currently, when an application requests a lease for a flowlabel via the IPV6_FLOWLABEL_MGR socket option, no error is returned if an invalid type of destination address is supplied as part of the request, leading to a silent failure. This patch ensures that EINVAL is returned to the application in this case. Signed-off-by: James Morris Signed-off-by: David S. Miller commit de76e695a5ce19c121ba7e246b45f258be678a75 Author: Vlad Yasevich Date: Mon Oct 30 18:55:11 2006 -0800 [SCTP]: Remove temporary associations from backlog and hash. Every time SCTP creates a temporary association, the stack hashes it, puts it on a list of endpoint associations and increments the backlog. However, the lifetime of a temporary association is the processing time of a current packet and it's destroyed after that. In fact, we don't really want anyone else finding this association. There is no reason to do this extra work. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller commit 4f4443088b763ca4ac7521e9b4a881b52c294dec Author: Vlad Yasevich Date: Mon Oct 30 18:54:32 2006 -0800 [SCTP]: Correctly set IP id for SCTP traffic Make SCTP 1-1 style and peeled-off associations behave like TCP when setting IP id. In both cases, we set the inet_sk(sk)->daddr and initialize inet_sk(sk)->id to a random value. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller commit f8687afefcc821fc47c75775eec87731fe3de360 Author: Paul Moore Date: Mon Oct 30 15:22:15 2006 -0800 [NetLabel]: protect the CIPSOv4 socket option from setsockopt() This patch makes two changes to protect applications from either removing or tampering with the CIPSOv4 IP option on a socket. The first is the requirement that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option on a socket; this prevents untrusted applications from setting their own CIPSOv4 security attributes on the packets they send. The second change is to SELinux and it prevents applications from setting any IPv4 options when there is an IPOPT_CIPSO option already present on the socket; this prevents applications from removing CIPSOv4 security attributes from the packets they send. Signed-off-by: Paul Moore Signed-off-by: James Morris Signed-off-by: David S. Miller commit 920b868ae1dfdac77c5e8c97e7067b23680f043e Author: Dmitry Mishin Date: Mon Oct 30 15:14:27 2006 -0800 [NETFILTER]: ip_tables: compat code module refcounting fix This patch fixes bug in iptables modules refcounting on compat error way. As we are getting modules in check_compat_entry_size_and_hooks(), in case of later error, we should put them all in translate_compat_table(), not in the compat_copy_entry_from_user() or compat_copy_match_from_user(), as it is now. Signed-off-by: Dmitry Mishin Acked-by: Vasily Averin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit c073e3fa8b7f9841aa6451885f135656d455f511 Author: Martin Josefsson Date: Mon Oct 30 15:13:58 2006 -0800 [NETFILTER]: nf_conntrack: add missing unlock in get_next_corpse() Add missing unlock in get_next_corpse() in nf_conntrack. It was missed during the removal of listhelp.h . Also remove an unneeded use of nf_ct_tuplehash_to_ctrack() in the same function. Should be applied before 2.6.19 is released. Signed-off-by: Martin Josefsson Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit ef4512e76679b4f4997f60f93f8a576a0d20c26b Author: Vasily Averin Date: Mon Oct 30 15:13:28 2006 -0800 [NETFILTER]: ip_tables: compat error way cleanup This patch adds forgotten compat_flush_offset() call to error way of translate_compat_table(). May lead to table corruption on the next compat_do_replace(). Signed-off-by: Vasily Averin Acked-by: Dmitry Mishin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit 590bdf7fd2292b47c428111cb1360e312eff207e Author: Dmitry Mishin Date: Mon Oct 30 15:12:55 2006 -0800 [NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables There is a number of issues in parsing user-provided table in translate_table(). Malicious user with CAP_NET_ADMIN may crash system by passing special-crafted table to the *_tables. The first issue is that mark_source_chains() function is called before entry content checks. In case of standard target, mark_source_chains() function uses t->verdict field in order to determine new position. But the check, that this field leads no further, than the table end, is in check_entry(), which is called later, than mark_source_chains(). The second issue, that there is no check that target_offset points inside entry. If so, *_ITERATE_MATCH macro will follow further, than the entry ends. As a result, we'll have oops or memory disclosure. And the third issue, that there is no check that the target is completely inside entry. Results are the same, as in previous issue. Signed-off-by: Dmitry Mishin Acked-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit 844dc7c88046ecd2e52596730d7cc400d6c3ad67 Author: Patrick McHardy Date: Mon Oct 30 15:12:16 2006 -0800 [NETFILTER]: remove masq/NAT from ip6tables Kconfig help Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller commit bcd620757d3a4ae78ef0ca41adb5d9e400ed92b6 Author: James Morris Date: Mon Oct 30 15:08:42 2006 -0800 [IPV6]: fix lockup via /proc/net/ip6_flowlabel There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by: James Morris Signed-off-by: David S. Miller commit a27b58fed90cc5654e2daf1d292cc5bc61be4dd7 Author: Heiko Carstens Date: Mon Oct 30 15:06:12 2006 -0800 [NET]: fix uaccess handling Signed-off-by: Heiko Carstens Signed-off-by: David S. Miller commit 28cd7752734563d5b0967b96a6bade7a1dc89c7f Author: Herbert Xu Date: Sun Oct 29 23:46:42 2006 -0800 [SCTP]: Always linearise packet on input I was looking at a RHEL5 bug report involving Xen and SCTP (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550). It turns out that SCTP wasn't written to handle skb fragments at all. The absence of any calls to skb_may_pull is testament to that. It just so happens that Xen creates fragmented packets more often than other scenarios (header & data split when going from domU to dom0). That's what caused this bug to show up. Until someone has the time sits down and audits the entire net/sctp directory, here is a conservative and safe solution that simply linearises all packets on input. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit c20e3945c761502b9d5d73ef0ff5f1a84b3a717e Author: David S. Miller Date: Sun Oct 29 16:14:55 2006 -0800 [ETH1394]: Fix unaligned accesses. Several u64 objects are derefernced in situations where the pointer is not guarenteed to be aligned correctly. Use get_unaligned() as needed. Thanks to Will Simoneau for lots of testing and debugging help. Signed-off-by: David S. Miller Acked-by: Stefan Richter commit 234af4840135342ab295b4e1219fd35c27fdd439 Author: Randy Dunlap Date: Sun Oct 29 16:03:30 2006 -0800 [DCCP]: fix printk format warnings Fix printk format warnings: build2.out:net/dccp/ccids/ccid2.c:355: warning: long long unsigned int format, u64 arg (arg 3) build2.out:net/dccp/ccids/ccid2.c:360: warning: long long unsigned int format, u64 arg (arg 3) build2.out:net/dccp/ccids/ccid2.c:482: warning: long long unsigned int format, u64 arg (arg 5) build2.out:net/dccp/ccids/ccid2.c:639: warning: long long unsigned int format, u64 arg (arg 3) build2.out:net/dccp/ccids/ccid2.c:639: warning: long long unsigned int format, u64 arg (arg 4) build2.out:net/dccp/ccids/ccid2.c:674: warning: long long unsigned int format, u64 arg (arg 3) build2.out:net/dccp/ccids/ccid2.c:720: warning: long long unsigned int format, u64 arg (arg 3) Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller commit c8884edd078748905552d667857259e5358e1232 Author: Herbert Xu Date: Sun Oct 29 15:59:41 2006 -0800 [NET]: Fix segmentation of linear packets skb_segment fails to segment linear packets correctly because it tries to write all linear parts of the original skb into each segment. This will always panic as each segment only contains enough space for one MSS. This was not detected earlier because linear packets should be rare for GSO. In fact it still remains to be seen what exactly created the linear packets that triggered this bug. Basically the only time this should happen is if someone enables GSO emulation on an interface that does not support SG. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit 54489c14c058822f7019648b3718bd3820dee802 Author: David S. Miller Date: Fri Oct 27 15:29:47 2006 -0700 [XFRM] xfrm_user: Fix unaligned accesses. Use memcpy() to move xfrm_address_t objects in and out of netlink messages. The vast majority of xfrm_user was doing this properly, except for copy_from_user_state() and copy_to_user_state(). Signed-off-by: David S. Miller commit 201a95afaa324b23188eeec268f6bb0b4b70b710 Author: David S. Miller Date: Fri Oct 27 15:26:21 2006 -0700 [APPLETALK]: Fix potential OOPS in atalk_sendmsg(). atrtr_find() can return NULL, so do not blindly dereference rt->dev before we check for rt being NULL. Signed-off-by: David S. Miller commit d458fd82c9bb536e4a582955e88554a02a92bf78 Author: Randy Dunlap Date: Thu Oct 26 17:15:20 2006 -0700 [NET] sealevel: uses arp_broken_ops On Wed, 25 Oct 2006 18:03:13 +0200 Toralf Förster wrote: > WARNING: "arp_broken_ops" [drivers/net/wan/sealevel.ko] undefined! > make[1]: *** [__modpost] Error 1 > make: *** [modules] Error 2 > > Here's the config: ... > # CONFIG_INET is not set > CONFIG_SEALEVEL_4021=m Sealevel uses arp_broken_ops so it needs to depend on INET. Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller commit f2454a1a4b2aca38d3b7887619f43291d773c1ee Author: Jes Sorensen Date: Wed Oct 25 05:49:53 2006 -0400 [IA64] don't double >> PAGE_SHIFT pointer for /dev/kmem access Don't PAGE_SHIFT pointer before handing it to virt_to_page() in xlate_dev_kmem_ptr() as it results in a double shift. Spotted by Bob Montgomery. Signed-off-by: Jes Sorensen Signed-off-by: Tony Luck