git.osdn.net Git - linux-kernel-docs/linux-2.4.36.git/log

[PATCH] scsi aic7xxx parenthesis fix

Hello,

This patch adds missing parenthesis.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/scsi/aic7xxx/aic79xx_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] scsi 53c7xx parenthesis fix

Hello,

Tis patch removes an extra parenthesis in abort_connected() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/scsi/53c7xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] scsi 53c7,8xx parenthesis fix

Hello,

This patch removes an extra parenthesis in debugger_fn_bs() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/scsi/53c7,8xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] net wavelan parenthesis fix

Hello,

This patch adds missing parenthesis in wavelan_ioctl() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/net/wavelan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] message fusion parenthesis fix

Hello,

This patch removes an extra parenthesis in mptscsih_abort() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/message/fusion/mptscsih.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH] ide serverworks parenthesis fix

Hello,

This code is '#if 0'ed but hell ... while I'm at it I can fix it :-]

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/ide/pci/serverworks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] ide legacy hd parenthesis fix

Hello,

This patch removes an extra parenthesis from read_intr() debug code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/ide/legacy/hd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] serial_amba parenthesis fix

Hello,

This patch adds missing parenthesis in ambauart_modem_status() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/char/serial_amba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] rio parenthesis fix

Hello,

This patch adds missing parenthesis in RIOMCAinit() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/char/rio/rioinit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] amijoy joystick parenthesis fix

Hello,

This patch adds missing parenthesis in amijoy_interrupt() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
drivers/char/joystick/amijoy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH] add missing parenthesis in pci-v320usc

Hello,

This patch adds missing parenthesis in v320usc_inb() macro.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
arch/sh/kernel/pci-v320usc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] arm: dma-arc add missing parenthesis

Hello,

This patch adds missing parenthesis in arc_floppy_data_enable_dma() code.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
arch/arm/kernel/dma-arc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH] fix build of serial with DEBUG enabled

This patch corrects define statement and variable name. Without this
patch is impossible to compile the serial driver with debug information.
This is probably copy/paste mistake from 2.2 or whatever.

[PATCH] fix channel balance on TV cards with LG head

This patch corrects channel balance in TV cards with LG head, without
this one channel is almost off (I have this TV card). This one is
already fixed in 2.6.

[PATCH] usb-storage: HP-FDC-GOLD need US_FL_SINGLE_LUN

I wanted to make my USB floppy work on 2.4.
I added USB FDC GOLD-1.11 that needs US_FL_SINGLE_LUN

[PATCH] usb-storage: backport unusual_devs from 2.6.20

Backport unusual devices from 2.6.20, only those with flags known in 2.4 :
  NEC USB UF000x, FDC GOLD-2.30, NIKON DSC D70, NIKON DSC D70s,
  Epson 875DC Storage, Sony DSC-T1/T5/H5, Sony Handycam,
  Sony PEG Mass Storage, SAMSUNG SFD-321U [FW 0C], Apple iPod,
  Thomson Multimedia Inc. RCA RD1080 MP3 Player,
  Freecom Technologies FHD-Classic, DataFab Systems Inc. USB CF+MS,
  CITIZEN X1DE-USB, Acomdata CF, Acomdata CM, Unknown 0x0c45, 0x1060,
  Sony Ericsson P990i, Sony Ericsson M600i, Minolta Dimage Z10

Devices with those flags unknown in 2.4 were not backported :
  CONFIG_USB_STORAGE_ONETOUCH, US_FL_BULK32, US_FL_GO_SLOW,
  US_FL_IGNORE_DEVICE, US_FL_IGNORE_RESIDUE, US_FL_MAX_SECTORS_64,
  US_FL_NEED_OVERRIDE, US_FL_NOT_LOCKABLE, US_FL_NO_WP_DETECT,
  US_PR_ALAUDA, US_PR_KARMA, US_PR_USBAT

Update those devices :
- Mitsumi FDD modified in 2.6.19
   https://lists.one-eyed-alien.net/pipermail/usb-storage/2006-November/002722.html

Keep those devices blacklisted in 2.4 although they were removed in 2.6 :
- LaCie USB Hard Disk
   https://lists.one-eyed-alien.net/pipermail/usb-storage/2006-August/002608.html
- Flashgate Hagiwara 0x0693, 0x0002, 0x0100, 0x0100
   http://www.ussg.iu.edu/hypermail/linux/kernel/0510.3/2104.html

- IBM USB Memory Key 0x0a16, 0x8888, 0x0100, 0x0100
   http://www.kernel.org/pub/linux/kernel/people/gregkh/usb/2.5/usb-storage-04-2.5.73.patch

[PATCH] usb 2.4: Support high-speed HID

Fix high-speed HID. According to Stuart:

The problem is that the usbhid driver (in hid-core.c) is _not_ modifying
the interrupt URB interval for high speed devices before calling
FILL_INT_URB, which causes the interval to be too low, and the ehci
driver won't schedule the URB.

Specifically this was seen with a new USB 2.0 Avocent KVM dongle.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>

Change VERSION to 2.4.35-pre1

    - [NET] ethernet: Fix first packet goes out with MAC 00:00:00:00:00:00
    - smbfs: fix problems introduced by last security backport
    - e1000: integrate latest 2.4 linux driver
    - [MAINTAINERS]: update e1000 maintainers
    - e1000: update README
    - proper locking on disconnect for mdc800
    - merge 2.6 backport of skge/sky2 network drivers
    - Merge branch 'skge'

e1000: update README

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>

[MAINTAINERS]: update e1000 maintainers

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>

e1000: integrate latest 2.4 linux driver

This updates the e1000 driver to our out-of-tree equivalent of 7.3.20.
This adds support for several new pieces of e100 hardware, including
quad-port 82571's (copper only), integrated nics of ICH8. The patch
includes dynamic interrupt support, many rewrites of subcomponents such
as wol enabling, manageability handling, shutdown/reset race fixes,

To keep the difference with the 2.6-version of this driver minimal
(which will facilitate future updates) we include a small compatibility
layer exclusively for e1000.

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>

Merge branch 'skge'

[PATCH] merge 2.6 backport of skge/sky2 network drivers

Quite a bunch of x86 motherboards equipped with a Gigabit LAN
port make use of a Marvell chip which requires the vendor's driver
from www.marvell.com. This driver is known to have some troubles,
among which losing frames under UDP-only trafic such as NFS and
DNS.

Stephen Hemminger has rewritten two separate drivers from scratch
for those chips to solve many problems in the historical driver.
A backport of his work is provided here as an alternate driver
for people experiencing problems with the vendor's one.

Current versions (skge-1.6 and sky2-1.5) do not support NAPI and
as such, consume slightly more CPU than the vendor's driver, but
at least they do seem to work correctly on UP. No test has been
performed on SMP yet.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[NET] ethernet: Fix first packet goes out with MAC 00:00:00:00:00:00

This is a backport of a patch which was first included in Linux 2.6.16-rc5.
What follows between the "======" markers is the original description.

======
When you turn off ARP on a netdevice then the first packet always goes
out with a dstMAC of all zeroes. This is because the first packet is
used to resolve ARP entries. Even though the ARP entry may be resolved
(I tried by setting a static ARP entry for a host i was pinging from),
it gets overwritten by virtue of having the netdevice disabling ARP.

Subsequent packets go out fine with correct dstMAC address (which may
be why people have ignored reporting this issue).

To cut the story short:

the culprit code is in net/ethernet/eth.c::eth_header()
----
          /*
           *      Anyway, the loopback-device should never use this function...
           */

          if (dev->flags & (IFF_LOOPBACK|IFF_NOARP))
          {
                  memset(eth->h_dest, 0, dev->addr_len);
                  return ETH_HLEN;
          }

          if(daddr)
          {
                  memcpy(eth->h_dest,daddr,dev->addr_len);
                  return ETH_HLEN;
          }
----

Note how the h_dest is being reset when device has IFF_NOARP.

As a note:
All devices including loopback pass a daddr. loopback in fact passes
a 0 all the time ;->
This means i can delete the check totaly or i can remove the IFF_NOARP

Alexey says:
--------------------
I think, it was me who did this crap. It was so long ago I do not remember
why it was made.

I remember some troubles with dummy device. It tried to resolve
addresses, apparently, without success and generated errors instead of
blackholing. I think the problem was eventually solved at neighbour
level.

After some thinking I suspect the deletion of this chunk could change
behaviour of some parts which do not use neighbour cache f.e. packet
socket.

I think safer approach would be to move this chunk after if (daddr).
And the possibility to remove this completely could be analyzed later.
--------------------

Patch updated with Alexey's safer suggestions.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
======

This problem also arises when transmitting IP multicast packets. If you send an
IP multicast stream over an ethernet network interface ethX and turn off ARP on
ethX then Linux will produce an ethernet frame with a dest. addresses of
00:00:00:00:00:00 (which is invalid). As IP multicast addresses are directly
mapped to HW (MAC) addresses without invoking any ARP protocol mechanisms - for
IP4 this mapping is performed by the function ip_eth_mc_map - it makes perfect
sense to do this even if ARP is disabled. Further, this problem may occur
periodically, everytime the corresponding struct dst_entry is garbage-collected
(e.g. ~ every 10 minutes).

Patch ported to Linux 2.4 by Christian Praehauser.

Signed-off-by: Christian Praehauser <cpraehaus@cosy.sbg.ac.at>

[PATCH] proper locking on disconnect for mdc800

this makes mdc800 take the necessary lock in disconnect() to prevent
submission of an URB for a disconnected device.

Signed-off-by: Oliver Neukum <oliver@neukum.name>

[PATCH] smbfs: fix problems introduced by last security backport

Users have reported a symlink issue with my recent smbfs backport.
Turns out my backport overlooked a second 2.6 patch w/ the fix:
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=419e7b76CdrmRG_NZ8LKj9DUUBGu1w

This is a backport of Haroldo Gamal's 2.6 patch that fixes the symlink
issue, and also cleans up an unnecessary double assignment. As his
commit message notes, you will need the userspace patches from Samba
Bug #999 in order to use the permission/ownership assigned by the
server.

Signed-off-by: dann frazier <dannf@debian.org>

Change VERSION to 2.4.34

Change VERSION to 2.4.34-rc4

- Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

[PATCH] Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done. The call of init_timer() is needed, because otherwise the
call of add_timer() will result in an instant death.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Change VERSION to 2.4.34-rc3

- zeromap may find a pte
- Fix incorrect user space access locking in mincore() (CVE-2006-4814)

[PATCH] Fix incorrect user space access locking in mincore() (CVE-2006-4814)

Fix incorrect user space access locking in mincore()

Doug Chapman noticed that mincore() will do a "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no.  While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
scenarios with writers due to fairness issues.

Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.

Hugh "ported" it to 2.4:
please note two slight changes to behaviour under error conditions:

(a) mincore used to report -EINVAL if input len was so big that the
given area wrapped: that shouldn't be a distinct case from crossing
a hole in the address space, 2.6.11 corrected the error to -ENOMEM,
and this patch extends that correction to 2.4.

(b) mincore used to report -ENOMEM if the given area crossed a hole
in the address space, but continued to fill in the vector for file-
backed regions above - yet didn't fill the vector with non-present
entries for the hole, just ignored it.  This patch continues to
report -ENOMEM if the given area crosses a hole in the address
space, but simply stops filling the vector at that point.  We
doubt any app could be relying on the previous weird behaviour.

Cc: Doug Chapman <dchapman@redhat.com>
Cc: Marcel Holtmann <holtmann@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

[PATCH] zeromap may find a pte

Ramiro Voicu hit 2.6's BUG_ON(!pte_none(*pte)) in zeromap_pte_range:
kernel bugzilla 7645.  Right: read_zero_pagealigned uses down_read of
mmap_sem, but another thread's racing read of /dev/zero, or a normal
fault, can easily set that pte again, in between zap_page_range and
zeromap_page_range getting there.  It's been wrong ever since 2.4.3.

The simple fix is to use down_write instead, but that would serialize
reads of /dev/zero more than at present: perhaps some app would be
badly affected.  So instead let zeromap_page_range return the error
instead of BUG in forget_pte, and read_zero_pagealigned break to the
slower clear_user loop in that case - no need to optimize for it.

Signed-off-by: Hugh Dickins <hugh@veritas.com>

Change VERSION to 2.4.34-rc2

- [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

[PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Change VERSION to 2.4.34-rc1

    - smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions (CVE-2006-5871)
    - i2c cleanup : several cleanups
    - fix for transient error in usb printer driver
    - task stte leak in pegasus usb driver
    - Masking bug in 6pack driver
    - x86 microcode: dont check the size
    - rio: typo in bitwise AND expression.
    - flashpoint: use '!' instead of '~' with EE_SYNC_MASK
    - jfs: incorrect use of "&&" instead of "&"
    - arm: incorrect use of "&&" instead of "&"
    - e100: incorrect use of "&&" instead of "&"
    - ps2esdi: typo may cause premature timeout
    - fbcon: incorrect use of "&&" instead of "&"

[PATCH] smbfs : don't ignore uid/gid/mode mount opts w/ unix extensions

smbfs in 2.4 currently ignores the uid, gid & mode mount options if
unix extensions are enabled. Here is a backport of Haroldo Gamal's 2.6 fix for
Debian's 2.4.27 kernel that should apply cleanly to latest 2.4 git.

This issue has been assigned CVE-2006-5871.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] task stte leak in pegasus usb driver

Hi,

this is a conservative port of a 2.6 fix for the pegasus driver which leaks
TASK_UNINTERRUPTIBLE in error cases. In case of an error the state
needs to be reset to TASK_RUNNING.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>
Acked-by: Petko Manolov <petkan@nucleusys.com>

[PATCH] x86 microcode: dont check the size

(backported from 2.6)

IA32 manual says if micorcode update's size is 0, then the size is
default size (2048 bytes). But this doesn't suggest all microcode
update's size should be above 2048 bytes to me. We actually had a
microcode update whose size is 1024 bytes. The patch just removed the
check.

Backported to 2.6.18 by Daniel Drake.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Shaohua Li <shaohua.li@intel.com>

[PATCH] fix for transient error in usb printer driver

Hi,

this is a port of a fix for 2.6 which handles transient errors while
writing to the printer. The buffer has to be marked free again if
urb submission fails, as the completion handler can't do it.
Please apply to the 2.4 tree.

Regards
Oliver

Signed-off-by: Oliver Neukum <oliver@neukum.name>

[PATCH] i2c cleanup : warning fix

Fix the following warning on x86_64:

i2c-proc.c: In function "i2c_proc_real":
i2c-proc.c:388: warning: passing argument 3 of "i2c_write_reals" from incompatible pointer type

This was fixed in a similar way in i2c-SVN in April 2003.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : resync algo ids

Resync i2c algorithm IDs with the values used in the 2.6 kernel
tree and the external i2c tree. These are arbitrary values anyway,
not exported to user-space.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : simplify code

Simplify core i2c code as was done in the external i2c tree. There are
three type of changes:
* Flatten imbricated if/else constructs
* Drop useless masking
* Change void* parameters to char* to avoid having to cast them
everywhere we use them

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : c99 struct init

Switch all i2c drivers to use the C99-style structure initialization,
as it is way safer.

Note that some hardcoded 100 are converted to HZ in the process,
as this was the true intent of the original code.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : dead code removal

Discard dead code from the i2c subsystem.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] i2c cleanup : typos and whitespace

Trivial changes picked from the i2c SVN repository. This includes:
* Documentation updates
* Comment updates
* Whitespace changes
* Typo fixes in strings and comments
* Includes reordering
* Drop of includes and comments relative to kernel version 2.0 to 2.3
The idea is to minimize the meaningless differences between both theres
so that real differences are easier to see.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] fbcon: incorrect use of "&&" instead of "&"

The use of "&&" in the following statement causes unexpected
cases to be matched since __SCROLL_YMASK = 0x0f :

    switch (p->scrollmode && __SCROLL_YMASK)
        case __SCROLL_YWRAP: ...  /* 0x02 */
        case __SCROLL_YPAN: ...   /* 0x01 */

The YWRAP case can never be matched and the YPAN case may be
matched by mistake. Obvious fix is to replace && with &. This
bug is not present in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-By: Geert Uytterhoeven <geert@linux-m68k.org>

[PATCH] ps2esdi: typo may cause premature timeout

The stop condition in the following statement causes an immediate
break out of the loop because ESDI_TIMEOUT=0xf000 and the result
of the !(inb()) expression can only be either 0 or 1, which means
that i never gets counted down.

   for (i = ESDI_TIMEOUT;
        i & !(inb(ESDI_STATUS) & STATUS_STAT_AVAIL);
        i--);

The obvious cause is the use of "i & !" instead of "i && !". This
was already fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] e100: incorrect use of "&&" instead of "&"

In e100_do_ethtool_ioctl(), bdp->flags is a bitfield and is
checked for some bits but the AND operation is performed with
&& instead of &. Obvious fix is to use "&" as in all other
places. 2.6 does not seem affected.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: David Miller <davem@davemloft.net>

[PATCH] arm: incorrect use of "&&" instead of "&"

In integrator_init_irq(), the use of "&&" in the following
statement causes all interrupts to be marked valid regardless
of INTEGRATOR_SC_VALID_INT, as long as it's non-zero :

if (((1 << i) && INTEGRATOR_SC_VALID_INT) != 0)

Obvious fix is to replace it with "&". This was already fixed
in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Russell King <rmk+lkml@arm.linux.org.uk>

[PATCH] jfs: incorrect use of "&&" instead of "&"

in jfs_txnmgr, the use of "tblk->flag && COMMIT_DELETE" in a
if() condition is obviously wrong. This bug has already been
fixed in 2.6.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>

[PATCH] flashpoint: use '!' instead of '~' with EE_SYNC_MASK

Trivial typo found by grep in 2.4 code, already fixed in 2.6.
The complement mask was computed with '!' instead of '~' while
the mask was not 1 :

  #define  EE_SYNC_MASK      (BIT(0)+BIT(1))
  currTar_Info->TarEEValue = (currTar_Info->TarEEValue & !EE_SYNC_MASK)
  temp2.tempb[0] = (temp2.tempb[0] & !EE_SYNC_MASK) | syncVal;
  temp2.tempb[1] = (temp2.tempb[1] & !EE_SYNC_MASK) | syncVal;

[PATCH] rio: typo in bitwise AND expression.

The line :

hp->Mode &= !RIO_PCI_INT_ENABLE;

is obviously wrong as RIO_PCI_INT_ENABLE=0x04 and is used as a bitmask
2 lines before. Getting no IRQ would not disable RIO_PCI_INT_ENABLE
but rather RIO_PCI_BOOT_FROM_RAM which equals 0x01.

Obvious fix is to change ! for ~.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Patrick vd Lageweg <patrick@BitWizard.nl>

[PATCH] Masking bug in 6pack driver

Looks like a broken masking to me, binary not is used where bitwise not
was intended.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Change VERSION to 2.4.34-pre6

    - [I2C] update web site address and contacts
    - [I2C] do not ignore error when returning from i2c_add_adapter()
    - [I2C] i2c-matroxfb: Struct init conversion
    - [I2C] Fix copy-n-paste error in i2c Config.in.
    - [I2C] remove non-existing functions declarations.
    - knfsd: Fix race that can disable NFS server.
    - i2c-elv: fix erroneous '&&' operator
    - fix "&& 0xffff" typo in gdth.c
    - fix obvious "&& 0xFFFFFF" typo in cpqfcTSworker
    - fix "&& 0xff" typo in qeth_qdio_input_handler
    - fix two "&& 0x03" in usbnet
    - EXT3: avoid crashing by not dividing by zero.
    - EXT2: avoid crashing by not dividing by zero.
    - [GCC4] fix build error in arch/alpha/kernel/osf_sys.c
    - [GCC4] fix build error in arch/alpha/kernel/irq.c
    - [GCC4] fix build error in arch/alpha/lib/io.c
    - [GCC4] fix build error in arch/alpha/math-emu/math.c

[PATCH][I2C] remove non-existing functions declarations.

Drop the function declarations for slave mode support of i2c adapters.
This was never implemented.

Partial backport of:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6d3aae9d74221b00e2cbf50a353527e5a71a58ba

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH][I2C] Fix copy-n-paste error in i2c Config.in.

Backport from a Linux 2.6 patch by Arthur Othieno:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=be53f9b2a08e647396ceaa004199ae4b032a9bd2

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Arthur Othieno <apgo@patchbomb.org>

[PATCH][I2C] i2c-matroxfb: Struct init conversion

Convert the struct i2c_algo_bit_data initialization to proper C99
style.

Backport from:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8241cb1401873e18bba746fd3f6c56ce4252a61f

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Petr Vandrovec <vandrove@vc.cvut.cz>

[PATCH][I2C] do not ignore error when returning from i2c_add_adapter()

i2c_add_adapter may fail. Most i2c algorithm drivers ignore this
fact, fix them. This is a backport from a patch from Mark M. Hoffman
to Linux 2.6.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH][I2C] update web site address and contacts

We have a new mailing list dedicated to linux i2c:
http://lists.lm-sensors.org/mailman/listinfo/i2c

The lm-sensors website moved to http://www.lm-sensors.org/.

Signed-off-by: Jean Delvare <khali@linux-fr.org>

[GCC4] fix build error in arch/alpha/math-emu/math.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=math -c -o math.o math.c
math.c: In function 'alpha_fp_emul':
math.c:204: warning: right shift count is negative
math.c:204: warning: left shift count >= width of type
math.c:220: warning: left shift count is negative
math.c:238: warning: statement with no effect
math.c:258: error: invalid lvalue in assignment
math.c:258: warning: right shift count >= width of type
math.c:258: warning: right shift count >= width of type
math.c:262: error: invalid lvalue in assignment
math.c:262: warning: right shift count >= width of type
math.c:262: warning: right shift count >= width of type
math.c:270: warning: statement with no effect
math.c:270: warning: statement with no effect
math.c:270: warning: statement with no effect
math.c:277: warning: statement with no effect
math.c:277: warning: statement with no effect
math.c:277: warning: statement with no effect

[GCC4] fix build error in arch/alpha/lib/io.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=io -c -o io.o io.c
io.c: In function 'insb':
io.c:146: error: invalid lvalue in increment
io.c:157: error: invalid lvalue in increment
io.c:163: error: invalid lvalue in increment
io.c: In function 'insw':
io.c:185: error: invalid lvalue in increment
io.c:194: error: invalid lvalue in increment
io.c: In function 'insl':
io.c:222: error: invalid lvalue in increment
io.c:233: error: invalid lvalue in increment
io.c:239: error: invalid lvalue in increment
io.c:249: error: invalid lvalue in increment
io.c:251: error: invalid lvalue in increment
io.c:256: error: invalid lvalue in increment
io.c:266: error: invalid lvalue in increment
io.c:271: error: invalid lvalue in increment
io.c:275: error: invalid lvalue in increment
io.c: In function 'outsb':
io.c:293: error: invalid lvalue in increment
io.c: In function 'outsw':
io.c:310: error: invalid lvalue in increment
io.c:318: error: invalid lvalue in increment
io.c: In function 'outsl':
io.c:348: error: invalid lvalue in increment
io.c:358: error: invalid lvalue in increment
io.c:363: error: invalid lvalue in increment
io.c:374: error: invalid lvalue in increment
io.c:376: error: invalid lvalue in increment
io.c:380: error: invalid lvalue in increment
io.c:391: error: invalid lvalue in increment
io.c:395: error: invalid lvalue in increment
io.c:400: error: invalid lvalue in increment

[GCC4] fix build error in arch/alpha/kernel/irq.c

This patch fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=irq -c -o irq.o irq.c
irq.c: In function 'handle_irq':
irq.c:619: error: invalid lvalue in increment

[GCC4] fix build error in arch/alpha/kernel/osf_sys.c

This patches fixes this error with gcc 4 on alpha :

gcc-4.1 -D__KERNEL__ -I/data/git/public/linux-2.4/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fno-builtin-sprintf -fomit-frame-pointer -Wno-pointer-sign -pipe -mno-fp-regs -ffixed-8 -mcpu=ev6 -Wa,-mev6 -nostdinc -iwithprefix include -DKBUILD_BASENAME=osf_sys -c -o osf_sys.o osf_sys.c
osf_sys.c: In function 'osf_filldir':
osf_sys.c:128: error: invalid lvalue in assignment

[PATCH] EXT2: avoid crashing by not dividing by zero.

backport a few checks from 2.6 to avoid dividing by zero on invalid
superblocks.

[PATCH] EXT3: avoid crashing by not dividing by zero.

backport a few checks from 2.6 to avoid dividing by zero on invalid
superblocks.

[PATCH] fix two "&& 0x03" in usbnet

just another obvious typo.

[PATCH] fix "&& 0xff" typo in qeth_qdio_input_handler

this one is already OK in 2.6.

[PATCH] fix obvious "&& 0xFFFFFF" typo in cpqfcTSworker

[PATCH] fix "&& 0xffff" typo in gdth.c

same as 2.6 patch.

[PATCH-2.4] i2c-elv: fix erroneous '&&' operator

There was clearly a typo in i2c-elv.c.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

[PATCH] knfsd: Fix race that can disable NFS server.

This is a long standing bug that seems to have only recently become
apparent, presumably due to increasing use of NFS over TCP - many
distros seem to be making it the default.

The SK_CONN bit gets set when a listening socket may be ready
for an accept, just as SK_DATA is set when data may be available.

It is entirely possible for svc_tcp_accept to be called with neither
of these set.  It doesn't happen often but there is a small race in
svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the
spin_lock.  They could be cleared immediately after the test and
before the lock is gained.

This normally shouldn't be a problem.  The sockets are non-blocking so
trying to read() or accept() when ther is nothing to do is not a problem.

However: svc_tcp_recvfrom makes the decision "Should I accept() or
should I read()" based on whether SK_CONN is set or not.  This usually
works but is not safe.  The decision should be based on whether it is
a TCP_LISTEN socket or a TCP_CONNECTED socket.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

Change VERSION to 2.4.34-pre5
    - WATCHDOG: sc1200wdt.c pnp unregister fix.
    - incorrect timeout in mtd AMD driver of 2.4 kernel
    - SCTP: Always linearise packet on input
    - ISDN: fix drivers, by handling errors thrown by ->readstat()
    - copy_from_user information leak on s390.
    - s390 : fix typo in recent copy_from_user fix
    - [S390] user readable uninitialised kernel memory (3rd version)
    - [NETFILTER]: Fix deadlock on NAT helper unload
    - [BRIDGE]: netfilter deadlock
    - i386: remove unsigned long long cast in __pte() macro.
    - 2.4.x: i386/x86_64 bitops clobberings

[PATCH] WATCHDOG: sc1200wdt.c pnp unregister fix.

(backport from 2.6-stable)

If no devices found or invalid parameter is specified,
scl200wdt_pnp_driver is left unregistered.
It breaks global list of pnp drivers.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: Wim Van Sebroeck <wim@iguana.be>

[PATCH] ISDN: fix drivers, by handling errors thrown by ->readstat()

(backport from 2.6-stable)

This is a particularly ugly on-failure bug, possibly security, since the
lack of error handling here is covering up another class of bug: failure to
handle copy_to_user() return values.

The I4L API function ->readstat() returns an integer, and by looking at
several existing driver implementations, it is clear that a negative return
value was meant to indicate an error.

Given that several drivers already return a negative value indicating an
errno-style error, the current code would blindly accept that [negative]
value as a valid amount of bytes read. Obvious damage ensues.

Correcting ->readstat() handling to properly notice errors fixes the
existing code to work correctly on error, and enables future patches to
more easily indicate errors during operation.

Signed-off-by: Jeff Garzik <jeff@garzik.org>
Cc: Karsten Keil <kkeil@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: Karsten Keil <kkeil@suse.de>

[PATCH] SCTP: Always linearise packet on input

(backported from 2.6-stable)

I was looking at a RHEL5 bug report involving Xen and SCTP
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550).
It turns out that SCTP wasn't written to handle skb fragments at
all. The absence of any calls to skb_may_pull is testament to
that.

It just so happens that Xen creates fragmented packets more often
than other scenarios (header & data split when going from domU to
dom0). That's what caused this bug to show up.

Until someone has the time sits down and audits the entire net/sctp
directory, here is a conservative and safe solution that simply
linearises all packets on input.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
For 2.4 backport :
Acked-by: David S. Miller <davem@davemloft.net>

[BRIDGE]: netfilter deadlock

A deadlock was found in bridge netfilter code (2.4 only), when a
device is removed. The device removal path causes a BPDU to be
generated and ends up self deadlocking on the BR lock.

Simple fix would be to avoid generating config bpdu's immediately when
becoming root bridge, and just let the first hello timer tick do that.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] incorrect timeout in mtd AMD driver of 2.4 kernel

I found a problem in the MTD driver for AMD flash chips that caused
occasional write errors on my WiFi router running OpenWrt. The driver
uses (HZ/1000) to calculate a timeout value of at least 1 msec, but
since HZ is 100, the timeout is effectively zero. The fix is to
increment the timeout by 1 jiffie, which is also done in the 2.6 kernel.
The patch also fixes two missing newlines.

[PATCH] 2.4.x: i386/x86_64 bitops clobberings

Problem reported by Jan Kiszka <jan.kiszka@web.de> :
"After going through debugging hell with some out-of-tree code,
  I realised that this patch :

  http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=92934bcbf96bc9dc931c40ca5f1a57685b7b813b

  makes a difference: current 2.6 works with the following code
  sequence as expected (printk is executed), 2.4 fails. I used
  gcc 3.3.6-13 (Debian).

  unsigned long a = 1;

  int module_init(void)
  {
        unsigned long b = 0;
        int x;

        x = __test_and_set_bit(0, &b);
        if (__test_and_set_bit(0, &a))
                printk("x = %d\n", x);

        return -1;
  }

  I ported the x86 part back to 2.4.33 and my problem disappeared. "

The problem with this patch is that the use of "+m" in asm statements
triggers bugs in gcc 2.95 which is supported by kernel 2.4. For
instance, cyclades.c does not build anymore :

$ gcc -O2 -pipe -c cyclades-c.c
cyclades.c: In function `cyy_interrupt':
/usr/src/git/linux-2.4/include/asm/bitops.h:134: inconsistent operand constraints in an `asm'
cyclades.c: In function `cyz_handle_rx':
/usr/src/git/linux-2.4/include/asm/bitops.h:134: inconsistent operand constraints in an `asm'

As explained by Richard Henderson here, the equivalent construct
"=m"(x) : "m"(x) works on any version of gcc :

  http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=3D107475162200773&w=3D2

I successfully verified on the example code above and on cyclades.c
that the exact same code is produced on x86 with this construct with
gcc 2.95.3, 3.3.6, 3.4.4, and 4.1.1, and Jan confirmed it also fixed
his problem, so it looks fine.

Just like in the former patch for 2.6, this one was applied to both
i386 and x86_64.

Signed-Off-By: Willy Tarreau <w@1wt.eu>
Acked-By: Jan Kiszka <jan.kiszka@web.de>

[S390] user readable uninitialised kernel memory (3rd version)

Fixed a label and a few comments.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

[PATCH] s390 : fix typo in recent copy_from_user fix

unfortunatly a bug crept into the bug fix for 2.4: the arguments of the
mvcle that is supposed to clear the kernel buffer have been swapped for
64 bit (the code is fine for 31 bit :-/).

[PATCH] i386: remove unsigned long long cast in __pte() macro.

From PaX Team :
"I've just seen the commit of the __pte() macro fixes and i'm not
sure that a blind unsigned long long cast is the proper way to
handle the warnings. the thing is, if there's a warning as Ralf
said, then it means that the user of the macro is not passing the
proper argument to the macro, hence there's a likelyhood that the
caller itself may not be doing what it intended to do."

"I don't know about MIPS, but under i386/PAE the higher 32 bits do
carry 'interesting' bits (not only physical page number bits but
on NX capable CPUs the NX bit itself as well), so they can't be
blindly made 0 by doing an unsigned long long cast, it should be
decided by the user of the macro instead."

"So my suggestion would be to fix the callers instead of doing the
cast, that is, have gcc point out everyone not passing a properly
set up argument, figure out if a cast is proper (as i said, at
least on PAE it will loose important bits) and fix the caller."

Also, the only user seems to be drm-40/ffb_drv.c, which is only
enabled for sparc64. So the warning would never appear anyway.

Acked-By: Willy Tarreau <w@1wt.eu>

[NETFILTER]: Fix deadlock on NAT helper unload

When a NAT helper is unlocked conntrack/NAT may deadlock because of
the following lock sequence:

.. ip_nat_helper_unregister
-> ip_ct_selective_cleanup
-> get_next_corpse              (ip_conntrack_lock)
-> kill_helper                  (ip_nat_lock)

.. ip_nat_fn                    (ip_nat_lock)
-> ip_nat_setup_info
-> ip_conntrack_alter_reply     (ip_conntrack_lock)

Taking ip_nat_lock in kill_helper() is unnecessary since the helper assigned
to a connection is immutable and new connections can't have the helper that
is beeing unloaded assigned since it is already removed from the global list.

Reported by <doublefacer007@gmail.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] copy_from_user information leak on s390.

There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8

The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.

Description: kernel: user readable uninitialised kernel memory.
Symptom:     None.
Problem:     A user space program can read uninitialised kernel memory
             by appending to a file from a bad address and then reading
             the result back. The cause is the copy_from_user function
             that does not clear the remaining bytes of the kernel
             buffer after it got a fault on the user space address.
Solution:    Fix the copy_from_user function to clear the remaining bytes
             of the kernel buffer after a user space fault.

Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH

Change VERSION to 2.4.34-pre4

- Backport fix for CVE-2006-4997 to 2.4 tree
- fbdev: correct buffer size limit in fbmem_read_proc()
- really fix size display for sun partitions larger than 1TByte
- i386: fix overflow in vmap on an x86 system which has more than 4GB memory.
- Advertise PPPoE MTU
- MIPS & i386: fix long long cast in pte macro
- block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting
- x86_64: Fix missing delay when the TSC counter just overflowed
- fix Configure.help concerning rp_filter

[PATCH] i386: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

Added the (unsigned long long) cast as suggested by Ralf Baechle to
silent gcc when shifting right 32-bit arguments.

Acked-by: Willy Tarreau <w@1wt.eu>

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Revert "[PATCH] MIPS: fix long long cast in pte macro"

The commit was bogus, it contained both the MIPS and the i386
fixes.

This reverts 5f81c2baacdb36638446d1356beb4ce4e13baedb commit.

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

[PATCH] really fix size display for sun partitions larger than 1TByte

Problem: the last fix introduced by Jeff Mahoney for kernel 2.6 was not
complete for kernel 2.4 (as applied). I found out that add_gd_partition
is called by any type of partition (2.4). add_gd_partition is defined
as add_gd_partition (int, int), what makes no sense to me as negative
numbers should never occur here. As long as add_gd_partition is not
changed to add_gd_partition (unsigned, unsigned), /proc/partitions will
keep showing negative numbers.

If ever someone could look into this, within the different partition
type files in linux/fs/partitions the parameters to add_gd_partitions
seem to be chosen arbitrarily between int, unsigned and unsigned long,
whatever seemed to be appropriate, I think it would make sense to get
consistent parameters to add_gd_partition from all partition types here.
Especially if one takes into account that sizeof (long) and sizeof (int)
may differ significantly i. e. on sparc.

Signed-off-by: Dieter Jurzitza <DJurzitza@HarmanBecker.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] fix Configure.help concerning rp_filter

Adrian Buciuman reported that Configure.help is wrong regarding
rp_filter, while ip_sysctl.txt is right. rp_filter is OFF by
default.

[PATCH] Backport fix for CVE-2006-4997 to 2.4 tree

Backport fix for CVE-2006-4997 to 2.4 tree, compile tested.
Original commit message follows.

[ATM] CLIP: Do not refer freed skbuff in clip_mkip().

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Original patch by YOSHIFUJI Hideaki.

Signed-off-by: dann frazier <dannf@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] fbdev: correct buffer size limit in fbmem_read_proc()

Address http://bugzilla.kernel.org/show_bug.cgi?id=7189

It should check `clen', not `len'.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: <jurij@wooyd.org>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: <stable@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@osdl.org>

[PATCH] Advertise PPPoE MTU

PPPoE must advertise the underlying device's MTU via the ppp channel
descriptor structure, as multilink functionality depends on it.

Signed-off-by: Michal Ostrowski <mostrows@earthlink.net>
Acked-by: Paul Mackerras <paulus@samba.org>

[PATCH] x86_64: Fix missing delay when the TSC counter just overflowed

I'd seen a problem that *delay functions return in too short delay.
It happens when the lower 32bit of TSC counter is overflowed.
This patch fixes the problem. This is back-port of Andi Kleen's
2.6 fix.

http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=6c51e28ffbbebf49437ec63ac4f9e385d60827e5

Signed-off-by: Toyo Abe <toyoa@mvista.com>

[PATCH] i386: fix overflow in vmap on an x86 system which has more than 4GB memory.

(max_mapnr << PAGE_SHIFT) would overflow on a system which has
4GB memory or more, and so could cause vmap to fail every time.

Signed-off-by: Michael Chen <micche@ati.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

[PATCH] block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting

Fix for unbalanced I/O accounting, that caused ios_in_flight
(CONFIG_BLK_STATS) to become and stay negative, as suggested by Jens
Axboe.

An added boolean field "io_account" in struct request is assumed to be
initialized to false on new requests. On starting I/O accounting, true is
assigned to the field. On ending I/O accounting, accounting is only
executed if the field has already been assigned true previously. Thus,
this fixes unbalanced cases where requests such as non-data get enqueued
without starting to account (ide_do_drive_cmd?) but the end of accounting
gets executed on finishing the same requests (ide_end_drive_cmd,
end_that_request_last, req_finished_io).

The precondition of io_account being initialized to false is ensured by

1) ide_init_drive_taskfile / ide_init_drive_cmd memset'ing the whole
request to zero, for requests that were potentially accounted unbalanced,
and

2) get_request assigning zero to io_account on allocating a request from
the free list cache (or slab cache initially), for the majority of
requests such as those involving data.

Jens preferred this to other discussed solutions and it should fix all
those unbalanced cases at once without touching each of them individually.

For more details, please see previous posts of this thread
http://www.uwsg.iu.edu/hypermail/linux/kernel/0608.2/0776.html.

I tested the patch with 2.4.24 and 2.4.33.3 successfully on an UP ia32
machine with one /dev/hda.

Signed-off-by: Steffen Maier <smaier@users.sourceforge.net>

Change VERSION to 2.4.34-pre3

This pre-version only includes GCC4 fixes and nothing else.
Build should work at least on i386, x86_64, PPC and sparc64.

Merge branch 'gcc4'

Change VERSION to 2.4.34-pre2

     - drivers/scsi/sg.c : fix CVE-2006-1528
     - [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
     - Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
     - binfmt_elf.c : fix checks for bad address
     - [DISKLABEL] SUN: Fix signed int usage for sector count
     - cciss: do not mark cciss_scsi_detect __init
     - i386 : fix exception processing in early boot
     - crypto : prevent cryptoloop from oopsing on stupid ciphers
     - loop.c: kernel_thread() retval check
     - [SCTP] Local privilege elevation - CVE-2006-3745
     - powerpc: Clear HID0 attention enable on PPC970 at boot time
     - Revert "export memchr() which is used by smbfs and lp driver."
     - [SPARC] export memchr() which is used by smbfs and lp driver.

[PATCH] i386 : fix exception processing in early boot

fix the longest existing kernel bug ever (since 0.01 ;-). basically,
the dummy interrupt handler installed for the early boot period does
not work for exceptions that push an error code as well, effectively
making the iret at the end of the handler to trigger another exception,
ad infinitum, or rather, until the kernel stack runs over, trashes all
memory below and eventually causes a CPU reset or a hang. without this
fix the early printk facility in 2.6 is also rather useless.