[kernel] r11245 - in dists/sid/linux-2.6/debian: . patches/bugfix/all/stable patches/series
Maximilian Attems
maks at alioth.debian.org
Fri May 2 09:50:15 UTC 2008
Author: maks
Date: Fri May 2 09:50:14 2008
New Revision: 11245
Log:
add stable 2.6.25.1
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.1
dists/sid/linux-2.6/debian/patches/series/2
Modified:
dists/sid/linux-2.6/debian/changelog
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Fri May 2 09:50:14 2008
@@ -1,3 +1,48 @@
+linux-2.6 (2.6.25-2) UNRELEASED; urgency=low
+
+ * Add stable release 2.6.25.1:
+ - Fix dnotify/close race (CVE-2008-1375)
+ - V4L: Fix VIDIOCGAP corruption in ivtv
+ - USB: log an error message when USB enumeration fails
+ - USB: OHCI: fix bug in controller resume
+ - SCSI: qla2xxx: Correct regression in relogin code.
+ - rose: Socket lock was not released before returning to user space
+ - x86, pci: fix off-by-one errors in some pirq warnings
+ - hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ
+ - RDMA/nes: Fix adapter reset after PXE boot
+ - rtc-pcf8583 build fix
+ - JFFS2: Fix free space leak with in-band cleanmarkers
+ - SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts
+ - tehuti: check register size (CVE-2008-1675)
+ - IPSEC: Fix catch-22 with algorithm IDs above 31
+ - alpha: unbreak OSF/1 (a.out) binaries
+ - tehuti: move ioctl perm check closer to function start (CVE-2008-1675)
+ - aio: io_getevents() should return if io_destroy() is invoked
+ - mm: fix possible off-by-one in walk_pte_range()
+ - TCP: Increase the max_burst threshold from 3 to tp->reordering.
+ - ssb: Fix all-ones boardflags
+ - cgroup: fix a race condition in manipulating tsk->cg_list
+ - drivers/net/tehuti: use proper capability check for raw IO access
+ - tg3: 5701 DMA corruption fix
+ - V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken
+ - b43: Workaround invalid bluetooth settings
+ - b43: Add more btcoexist workarounds
+ - b43: Workaround DMA quirks
+ - dm snapshot: fix chunksize sector conversion
+ - x86: Fix 32-bit x86 MSI-X allocation leakage
+ - RTNETLINK: Fix bogus ASSERT_RTNL warning
+ - net: Fix wrong interpretation of some copy_to_user() results.
+ - dz: test after postfix decrement fails in dz_console_putchar()
+ - RDMA/nes: Free IRQ before killing tasklet
+ - S2io: Fix memory leak during free_tx_buffers
+ - S2io: Version update for memory leak fix during free_tx_buffers
+ - USB: Add HP hs2300 Broadband Wireless Module to sierra.c
+ - V4L: cx88: enable radio GPIO correctly
+ - hrtimer: raise softirq unlocked to avoid circular lock dependency
+ - tcp: tcp_probe buffer overflow and incorrect return value
+
+ -- maximilian attems <maks at debian.org> Fri, 02 May 2008 11:45:33 +0200
+
linux-2.6 (2.6.25-1) unstable; urgency=low
* New upstream release (closes: #456799, #468440, #475161, #475134, #475441)
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.1
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.1 Fri May 2 09:50:14 2008
@@ -0,0 +1,1145 @@
+diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
+index 8c71daf..9fee37e 100644
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -75,6 +75,7 @@ osf_set_program_attributes(unsigned long text_start, unsigned long text_len,
+ lock_kernel();
+ mm = current->mm;
+ mm->end_code = bss_start + bss_len;
++ mm->start_brk = bss_start + bss_len;
+ mm->brk = bss_start + bss_len;
+ #if 0
+ printk("set_program_attributes(%lx %lx %lx %lx)\n",
+diff --git a/arch/x86/kernel/io_apic_32.c b/arch/x86/kernel/io_apic_32.c
+index 4ca5486..f239b30 100644
+--- a/arch/x86/kernel/io_apic_32.c
++++ b/arch/x86/kernel/io_apic_32.c
+@@ -2477,6 +2477,7 @@ void destroy_irq(unsigned int irq)
+ dynamic_irq_cleanup(irq);
+
+ spin_lock_irqsave(&vector_lock, flags);
++ clear_bit(irq_vector[irq], used_vectors);
+ irq_vector[irq] = 0;
+ spin_unlock_irqrestore(&vector_lock, flags);
+ }
+diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
+index a871586..579745c 100644
+--- a/arch/x86/pci/irq.c
++++ b/arch/x86/pci/irq.c
+@@ -200,7 +200,7 @@ static int pirq_ali_get(struct pci_dev *router, struct pci_dev *dev, int pirq)
+ {
+ static const unsigned char irqmap[16] = { 0, 9, 3, 10, 4, 5, 7, 6, 1, 11, 0, 12, 0, 14, 0, 15 };
+
+- WARN_ON_ONCE(pirq >= 16);
++ WARN_ON_ONCE(pirq > 16);
+ return irqmap[read_config_nybble(router, 0x48, pirq-1)];
+ }
+
+@@ -209,7 +209,7 @@ static int pirq_ali_set(struct pci_dev *router, struct pci_dev *dev, int pirq, i
+ static const unsigned char irqmap[16] = { 0, 8, 0, 2, 4, 5, 7, 6, 0, 1, 3, 9, 11, 0, 13, 15 };
+ unsigned int val = irqmap[irq];
+
+- WARN_ON_ONCE(pirq >= 16);
++ WARN_ON_ONCE(pirq > 16);
+ if (val) {
+ write_config_nybble(router, 0x48, pirq-1, val);
+ return 1;
+@@ -260,7 +260,7 @@ static int pirq_via586_get(struct pci_dev *router, struct pci_dev *dev, int pirq
+ {
+ static const unsigned int pirqmap[5] = { 3, 2, 5, 1, 1 };
+
+- WARN_ON_ONCE(pirq >= 5);
++ WARN_ON_ONCE(pirq > 5);
+ return read_config_nybble(router, 0x55, pirqmap[pirq-1]);
+ }
+
+@@ -268,7 +268,7 @@ static int pirq_via586_set(struct pci_dev *router, struct pci_dev *dev, int pirq
+ {
+ static const unsigned int pirqmap[5] = { 3, 2, 5, 1, 1 };
+
+- WARN_ON_ONCE(pirq >= 5);
++ WARN_ON_ONCE(pirq > 5);
+ write_config_nybble(router, 0x55, pirqmap[pirq-1], irq);
+ return 1;
+ }
+@@ -282,7 +282,7 @@ static int pirq_ite_get(struct pci_dev *router, struct pci_dev *dev, int pirq)
+ {
+ static const unsigned char pirqmap[4] = { 1, 0, 2, 3 };
+
+- WARN_ON_ONCE(pirq >= 4);
++ WARN_ON_ONCE(pirq > 4);
+ return read_config_nybble(router,0x43, pirqmap[pirq-1]);
+ }
+
+@@ -290,7 +290,7 @@ static int pirq_ite_set(struct pci_dev *router, struct pci_dev *dev, int pirq, i
+ {
+ static const unsigned char pirqmap[4] = { 1, 0, 2, 3 };
+
+- WARN_ON_ONCE(pirq >= 4);
++ WARN_ON_ONCE(pirq > 4);
+ write_config_nybble(router, 0x43, pirqmap[pirq-1], irq);
+ return 1;
+ }
+diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
+index b2112f5..a3b2374 100644
+--- a/drivers/infiniband/hw/nes/nes.c
++++ b/drivers/infiniband/hw/nes/nes.c
+@@ -751,13 +751,13 @@ static void __devexit nes_remove(struct pci_dev *pcidev)
+
+ list_del(&nesdev->list);
+ nes_destroy_cqp(nesdev);
++
++ free_irq(pcidev->irq, nesdev);
+ tasklet_kill(&nesdev->dpc_tasklet);
+
+ /* Deallocate the Adapter Structure */
+ nes_destroy_adapter(nesdev->nesadapter);
+
+- free_irq(pcidev->irq, nesdev);
+-
+ if (nesdev->msi_enabled) {
+ pci_disable_msi(pcidev);
+ }
+diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
+index 0bef878..96b1a0e 100644
+--- a/drivers/infiniband/hw/nes/nes_cm.c
++++ b/drivers/infiniband/hw/nes/nes_cm.c
+@@ -1834,8 +1834,10 @@ int mini_cm_recv_pkt(struct nes_cm_core *cm_core, struct nes_vnic *nesvnic,
+ nfo.rem_addr = ntohl(iph->saddr);
+ nfo.rem_port = ntohs(tcph->source);
+
+- nes_debug(NES_DBG_CM, "Received packet: dest=0x%08X:0x%04X src=0x%08X:0x%04X\n",
+- iph->daddr, tcph->dest, iph->saddr, tcph->source);
++ nes_debug(NES_DBG_CM, "Received packet: dest=" NIPQUAD_FMT
++ ":0x%04X src=" NIPQUAD_FMT ":0x%04X\n",
++ NIPQUAD(iph->daddr), tcph->dest,
++ NIPQUAD(iph->saddr), tcph->source);
+
+ /* note: this call is going to increment cm_node ref count */
+ cm_node = find_node(cm_core,
+diff --git a/drivers/infiniband/hw/nes/nes_hw.c b/drivers/infiniband/hw/nes/nes_hw.c
+index 49e53e4..496655e 100644
+--- a/drivers/infiniband/hw/nes/nes_hw.c
++++ b/drivers/infiniband/hw/nes/nes_hw.c
+@@ -625,6 +625,15 @@ unsigned int nes_reset_adapter_ne020(struct nes_device *nesdev, u8 *OneG_Mode)
+ nes_debug(NES_DBG_INIT, "Did not see full soft reset done.\n");
+ return 0;
+ }
++
++ i = 0;
++ while ((nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS) != 0x80) && i++ < 10000)
++ mdelay(1);
++ if (i >= 10000) {
++ printk(KERN_ERR PFX "Internal CPU not ready, status = %02X\n",
++ nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS));
++ return 0;
++ }
+ }
+
+ /* port reset */
+@@ -673,17 +682,6 @@ unsigned int nes_reset_adapter_ne020(struct nes_device *nesdev, u8 *OneG_Mode)
+ }
+ }
+
+-
+-
+- i = 0;
+- while ((nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS) != 0x80) && i++ < 10000)
+- mdelay(1);
+- if (i >= 10000) {
+- printk(KERN_ERR PFX "Internal CPU not ready, status = %02X\n",
+- nes_read_indexed(nesdev, NES_IDX_INT_CPU_STATUS));
+- return 0;
+- }
+-
+ return port_count;
+ }
+
+diff --git a/drivers/md/dm-exception-store.c b/drivers/md/dm-exception-store.c
+index 5bbce29..c7d305b 100644
+--- a/drivers/md/dm-exception-store.c
++++ b/drivers/md/dm-exception-store.c
+@@ -131,7 +131,7 @@ struct pstore {
+
+ static unsigned sectors_to_pages(unsigned sectors)
+ {
+- return sectors / (PAGE_SIZE >> 9);
++ return DIV_ROUND_UP(sectors, PAGE_SIZE >> 9);
+ }
+
+ static int alloc_area(struct pstore *ps)
+diff --git a/drivers/media/video/cx88/cx88-cards.c b/drivers/media/video/cx88/cx88-cards.c
+index 8c9a8ad..8bf5596 100644
+--- a/drivers/media/video/cx88/cx88-cards.c
++++ b/drivers/media/video/cx88/cx88-cards.c
+@@ -1354,6 +1354,10 @@ static const struct cx88_board cx88_boards[] = {
+ }},
+ /* fixme: Add radio support */
+ .mpeg = CX88_MPEG_DVB | CX88_MPEG_BLACKBIRD,
++ .radio = {
++ .type = CX88_RADIO,
++ .gpio0 = 0xe780,
++ },
+ },
+ [CX88_BOARD_ADSTECH_PTV_390] = {
+ .name = "ADS Tech Instant Video PCI",
+diff --git a/drivers/media/video/ivtv/ivtv-ioctl.c b/drivers/media/video/ivtv/ivtv-ioctl.c
+index edef2a5..1e6f36e 100644
+--- a/drivers/media/video/ivtv/ivtv-ioctl.c
++++ b/drivers/media/video/ivtv/ivtv-ioctl.c
+@@ -741,7 +741,8 @@ int ivtv_v4l2_ioctls(struct ivtv *itv, struct file *filp, unsigned int cmd, void
+
+ memset(vcap, 0, sizeof(*vcap));
+ strcpy(vcap->driver, IVTV_DRIVER_NAME); /* driver name */
+- strcpy(vcap->card, itv->card_name); /* card type */
++ strncpy(vcap->card, itv->card_name,
++ sizeof(vcap->card)-1); /* card type */
+ strcpy(vcap->bus_info, pci_name(itv->dev)); /* bus info... */
+ vcap->version = IVTV_DRIVER_VERSION; /* version */
+ vcap->capabilities = itv->v4l2_cap; /* capabilities */
+diff --git a/drivers/media/video/tea5761.c b/drivers/media/video/tea5761.c
+index 5326eec..de7e060 100644
+--- a/drivers/media/video/tea5761.c
++++ b/drivers/media/video/tea5761.c
+@@ -249,14 +249,19 @@ int tea5761_autodetection(struct i2c_adapter* i2c_adap, u8 i2c_addr)
+
+ if (16 != (rc = tuner_i2c_xfer_recv(&i2c, buffer, 16))) {
+ printk(KERN_WARNING "it is not a TEA5761. Received %i chars.\n", rc);
+- return EINVAL;
++ return -EINVAL;
+ }
+
+- if (!((buffer[13] != 0x2b) || (buffer[14] != 0x57) || (buffer[15] != 0x061))) {
+- printk(KERN_WARNING "Manufacturer ID= 0x%02x, Chip ID = %02x%02x. It is not a TEA5761\n",buffer[13],buffer[14],buffer[15]);
+- return EINVAL;
++ if ((buffer[13] != 0x2b) || (buffer[14] != 0x57) || (buffer[15] != 0x061)) {
++ printk(KERN_WARNING "Manufacturer ID= 0x%02x, Chip ID = %02x%02x."
++ " It is not a TEA5761\n",
++ buffer[13], buffer[14], buffer[15]);
++ return -EINVAL;
+ }
+- printk(KERN_WARNING "TEA5761 detected.\n");
++ printk(KERN_WARNING "tea5761: TEA%02x%02x detected. "
++ "Manufacturer ID= 0x%02x\n",
++ buffer[14], buffer[15], buffer[13]);
++
+ return 0;
+ }
+
+diff --git a/drivers/media/video/tuner-core.c b/drivers/media/video/tuner-core.c
+index 78a09a2..8cdbdd0 100644
+--- a/drivers/media/video/tuner-core.c
++++ b/drivers/media/video/tuner-core.c
+@@ -1112,8 +1112,8 @@ static int tuner_probe(struct i2c_client *client)
+ if (!no_autodetect) {
+ switch (client->addr) {
+ case 0x10:
+- if (tea5761_autodetection(t->i2c->adapter, t->i2c->addr)
+- != EINVAL) {
++ if (tea5761_autodetection(t->i2c->adapter,
++ t->i2c->addr) >= 0) {
+ t->type = TUNER_TEA5761;
+ t->mode_mask = T_RADIO;
+ t->mode = T_STANDBY;
+@@ -1125,7 +1125,7 @@ static int tuner_probe(struct i2c_client *client)
+
+ goto register_client;
+ }
+- break;
++ return -ENODEV;
+ case 0x42:
+ case 0x43:
+ case 0x4a:
+diff --git a/drivers/net/s2io.c b/drivers/net/s2io.c
+index c082cf0..de11039 100644
+--- a/drivers/net/s2io.c
++++ b/drivers/net/s2io.c
+@@ -84,7 +84,7 @@
+ #include "s2io.h"
+ #include "s2io-regs.h"
+
+-#define DRV_VERSION "2.0.26.20"
++#define DRV_VERSION "2.0.26.22"
+
+ /* S2io Driver name & version. */
+ static char s2io_driver_name[] = "Neterion";
+@@ -2339,7 +2339,7 @@ static void free_tx_buffers(struct s2io_nic *nic)
+ for (i = 0; i < config->tx_fifo_num; i++) {
+ unsigned long flags;
+ spin_lock_irqsave(&mac_control->fifos[i].tx_lock, flags);
+- for (j = 0; j < config->tx_cfg[i].fifo_len - 1; j++) {
++ for (j = 0; j < config->tx_cfg[i].fifo_len; j++) {
+ txdp = (struct TxD *) \
+ mac_control->fifos[i].list_info[j].list_virt_addr;
+ skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j);
+diff --git a/drivers/net/tehuti.c b/drivers/net/tehuti.c
+index 17585e5..432e837 100644
+--- a/drivers/net/tehuti.c
++++ b/drivers/net/tehuti.c
+@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianess(void)
+ s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
+ }
+
++static int bdx_range_check(struct bdx_priv *priv, u32 offset)
++{
++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
++ -EINVAL : 0;
++}
++
+ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
+ {
+ struct bdx_priv *priv = ndev->priv;
+@@ -643,9 +649,15 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
+ DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
+ }
+
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
++
+ switch (data[0]) {
+
+ case BDX_OP_READ:
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ data[2] = READ_REG(priv, data[1]);
+ DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
+ data[2]);
+@@ -655,6 +667,9 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
+ break;
+
+ case BDX_OP_WRITE:
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ WRITE_REG(priv, data[1], data[2]);
+ DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
+ break;
+diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
+index 96043c5..bc4c62b 100644
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -64,8 +64,8 @@
+
+ #define DRV_MODULE_NAME "tg3"
+ #define PFX DRV_MODULE_NAME ": "
+-#define DRV_MODULE_VERSION "3.90"
+-#define DRV_MODULE_RELDATE "April 12, 2008"
++#define DRV_MODULE_VERSION "3.91"
++#define DRV_MODULE_RELDATE "April 18, 2008"
+
+ #define TG3_DEF_MAC_MODE 0
+ #define TG3_DEF_RX_MODE 0
+@@ -4135,11 +4135,21 @@ static int tigon3_dma_hwbug_workaround(struct tg3 *tp, struct sk_buff *skb,
+ u32 last_plus_one, u32 *start,
+ u32 base_flags, u32 mss)
+ {
+- struct sk_buff *new_skb = skb_copy(skb, GFP_ATOMIC);
++ struct sk_buff *new_skb;
+ dma_addr_t new_addr = 0;
+ u32 entry = *start;
+ int i, ret = 0;
+
++ if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5701)
++ new_skb = skb_copy(skb, GFP_ATOMIC);
++ else {
++ int more_headroom = 4 - ((unsigned long)skb->data & 3);
++
++ new_skb = skb_copy_expand(skb,
++ skb_headroom(skb) + more_headroom,
++ skb_tailroom(skb), GFP_ATOMIC);
++ }
++
+ if (!new_skb) {
+ ret = -1;
+ } else {
+@@ -4462,7 +4472,9 @@ static int tg3_start_xmit_dma_bug(struct sk_buff *skb, struct net_device *dev)
+
+ would_hit_hwbug = 0;
+
+- if (tg3_4g_overflow_test(mapping, len))
++ if (tp->tg3_flags3 & TG3_FLG3_5701_DMA_BUG)
++ would_hit_hwbug = 1;
++ else if (tg3_4g_overflow_test(mapping, len))
+ would_hit_hwbug = 1;
+
+ tg3_set_txd(tp, entry, mapping, len, base_flags,
+@@ -11339,6 +11351,38 @@ static int __devinit tg3_get_invariants(struct tg3 *tp)
+ }
+ }
+
++ if ((GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5701)) {
++ static struct tg3_dev_id {
++ u32 vendor;
++ u32 device;
++ } bridge_chipsets[] = {
++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_0 },
++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PXH_1 },
++ { },
++ };
++ struct tg3_dev_id *pci_id = &bridge_chipsets[0];
++ struct pci_dev *bridge = NULL;
++
++ while (pci_id->vendor != 0) {
++ bridge = pci_get_device(pci_id->vendor,
++ pci_id->device,
++ bridge);
++ if (!bridge) {
++ pci_id++;
++ continue;
++ }
++ if (bridge->subordinate &&
++ (bridge->subordinate->number <=
++ tp->pdev->bus->number) &&
++ (bridge->subordinate->subordinate >=
++ tp->pdev->bus->number)) {
++ tp->tg3_flags3 |= TG3_FLG3_5701_DMA_BUG;
++ pci_dev_put(bridge);
++ break;
++ }
++ }
++ }
++
+ /* The EPB bridge inside 5714, 5715, and 5780 cannot support
+ * DMA addresses > 40-bit. This bridge may have other additional
+ * 57xx devices behind it in some 4-port NIC designs for example.
+diff --git a/drivers/net/tg3.h b/drivers/net/tg3.h
+index c1075a7..c688c3a 100644
+--- a/drivers/net/tg3.h
++++ b/drivers/net/tg3.h
+@@ -2476,6 +2476,7 @@ struct tg3 {
+ #define TG3_FLG3_NO_NVRAM_ADDR_TRANS 0x00000001
+ #define TG3_FLG3_ENABLE_APE 0x00000002
+ #define TG3_FLG3_5761_5784_AX_FIXES 0x00000004
++#define TG3_FLG3_5701_DMA_BUG 0x00000008
+
+ struct timer_list timer;
+ u16 timer_counter;
+diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c
+index 48e9124..4ec1915 100644
+--- a/drivers/net/wireless/b43/dma.c
++++ b/drivers/net/wireless/b43/dma.c
+@@ -822,6 +822,18 @@ static u64 supported_dma_mask(struct b43_wldev *dev)
+ return DMA_30BIT_MASK;
+ }
+
++static enum b43_dmatype dma_mask_to_engine_type(u64 dmamask)
++{
++ if (dmamask == DMA_30BIT_MASK)
++ return B43_DMA_30BIT;
++ if (dmamask == DMA_32BIT_MASK)
++ return B43_DMA_32BIT;
++ if (dmamask == DMA_64BIT_MASK)
++ return B43_DMA_64BIT;
++ B43_WARN_ON(1);
++ return B43_DMA_30BIT;
++}
++
+ /* Main initialization function. */
+ static
+ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev,
+@@ -982,6 +994,42 @@ void b43_dma_free(struct b43_wldev *dev)
+ dma->tx_ring0 = NULL;
+ }
+
++static int b43_dma_set_mask(struct b43_wldev *dev, u64 mask)
++{
++ u64 orig_mask = mask;
++ bool fallback = 0;
++ int err;
++
++ /* Try to set the DMA mask. If it fails, try falling back to a
++ * lower mask, as we can always also support a lower one. */
++ while (1) {
++ err = ssb_dma_set_mask(dev->dev, mask);
++ if (!err)
++ break;
++ if (mask == DMA_64BIT_MASK) {
++ mask = DMA_32BIT_MASK;
++ fallback = 1;
++ continue;
++ }
++ if (mask == DMA_32BIT_MASK) {
++ mask = DMA_30BIT_MASK;
++ fallback = 1;
++ continue;
++ }
++ b43err(dev->wl, "The machine/kernel does not support "
++ "the required %u-bit DMA mask\n",
++ (unsigned int)dma_mask_to_engine_type(orig_mask));
++ return -EOPNOTSUPP;
++ }
++ if (fallback) {
++ b43info(dev->wl, "DMA mask fallback from %u-bit to %u-bit\n",
++ (unsigned int)dma_mask_to_engine_type(orig_mask),
++ (unsigned int)dma_mask_to_engine_type(mask));
++ }
++
++ return 0;
++}
++
+ int b43_dma_init(struct b43_wldev *dev)
+ {
+ struct b43_dma *dma = &dev->dma;
+@@ -991,27 +1039,10 @@ int b43_dma_init(struct b43_wldev *dev)
+ enum b43_dmatype type;
+
+ dmamask = supported_dma_mask(dev);
+- switch (dmamask) {
+- default:
+- B43_WARN_ON(1);
+- case DMA_30BIT_MASK:
+- type = B43_DMA_30BIT;
+- break;
+- case DMA_32BIT_MASK:
+- type = B43_DMA_32BIT;
+- break;
+- case DMA_64BIT_MASK:
+- type = B43_DMA_64BIT;
+- break;
+- }
+- err = ssb_dma_set_mask(dev->dev, dmamask);
+- if (err) {
+- b43err(dev->wl, "The machine/kernel does not support "
+- "the required DMA mask (0x%08X%08X)\n",
+- (unsigned int)((dmamask & 0xFFFFFFFF00000000ULL) >> 32),
+- (unsigned int)(dmamask & 0x00000000FFFFFFFFULL));
+- return -EOPNOTSUPP;
+- }
++ type = dma_mask_to_engine_type(dmamask);
++ err = b43_dma_set_mask(dev, dmamask);
++ if (err)
++ return err;
+
+ err = -ENOMEM;
+ /* setup TX DMA channels. */
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index c73a75b..f23317e 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -78,6 +78,11 @@ static int modparam_nohwcrypt;
+ module_param_named(nohwcrypt, modparam_nohwcrypt, int, 0444);
+ MODULE_PARM_DESC(nohwcrypt, "Disable hardware encryption.");
+
++static int modparam_btcoex = 1;
++module_param_named(btcoex, modparam_btcoex, int, 0444);
++MODULE_PARM_DESC(btcoex, "Enable Bluetooth coexistance (default on)");
++
++
+ static const struct ssb_device_id b43_ssb_tbl[] = {
+ SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 5),
+ SSB_DEVICE(SSB_VENDOR_BROADCOM, SSB_DEV_80211, 6),
+@@ -3339,6 +3344,8 @@ static void b43_bluetooth_coext_enable(struct b43_wldev *dev)
+ struct ssb_sprom *sprom = &dev->dev->bus->sprom;
+ u32 hf;
+
++ if (!modparam_btcoex)
++ return;
+ if (!(sprom->boardflags_lo & B43_BFL_BTCOEXIST))
+ return;
+ if (dev->phy.type != B43_PHYTYPE_B && !dev->phy.gmode)
+@@ -3350,11 +3357,13 @@ static void b43_bluetooth_coext_enable(struct b43_wldev *dev)
+ else
+ hf |= B43_HF_BTCOEX;
+ b43_hf_write(dev, hf);
+- //TODO
+ }
+
+ static void b43_bluetooth_coext_disable(struct b43_wldev *dev)
+-{ //TODO
++{
++ if (!modparam_btcoex)
++ return;
++ //TODO
+ }
+
+ static void b43_imcfglo_timeouts_workaround(struct b43_wldev *dev)
+@@ -4000,8 +4009,16 @@ static int b43_one_core_attach(struct ssb_device *dev, struct b43_wl *wl)
+ return err;
+ }
+
++#define IS_PDEV(pdev, _vendor, _device, _subvendor, _subdevice) ( \
++ (pdev->vendor == PCI_VENDOR_ID_##_vendor) && \
++ (pdev->device == _device) && \
++ (pdev->subsystem_vendor == PCI_VENDOR_ID_##_subvendor) && \
++ (pdev->subsystem_device == _subdevice) )
++
+ static void b43_sprom_fixup(struct ssb_bus *bus)
+ {
++ struct pci_dev *pdev;
++
+ /* boardflags workarounds */
+ if (bus->boardinfo.vendor == SSB_BOARDVENDOR_DELL &&
+ bus->chip_id == 0x4301 && bus->boardinfo.rev == 0x74)
+@@ -4009,6 +4026,13 @@ static void b43_sprom_fixup(struct ssb_bus *bus)
+ if (bus->boardinfo.vendor == PCI_VENDOR_ID_APPLE &&
+ bus->boardinfo.type == 0x4E && bus->boardinfo.rev > 0x40)
+ bus->sprom.boardflags_lo |= B43_BFL_PACTRL;
++ if (bus->bustype == SSB_BUSTYPE_PCI) {
++ pdev = bus->host_pci;
++ if (IS_PDEV(pdev, BROADCOM, 0x4318, ASUSTEK, 0x100F) ||
++ IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0015) ||
++ IS_PDEV(pdev, BROADCOM, 0x4320, LINKSYS, 0x0013))
++ bus->sprom.boardflags_lo &= ~B43_BFL_BTCOEXIST;
++ }
+ }
+
+ static void b43_wireless_exit(struct ssb_device *dev, struct b43_wl *wl)
+diff --git a/drivers/rtc/rtc-pcf8583.c b/drivers/rtc/rtc-pcf8583.c
+index 8b39970..3d09d8f 100644
+--- a/drivers/rtc/rtc-pcf8583.c
++++ b/drivers/rtc/rtc-pcf8583.c
+@@ -15,7 +15,7 @@
+ #include <linux/i2c.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+-#include <linux/mc146818rtc.h>
++#include <linux/rtc.h>
+ #include <linux/init.h>
+ #include <linux/errno.h>
+ #include <linux/bcd.h>
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 3c1b433..0e8e092 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -2357,7 +2357,7 @@ qla2x00_do_dpc(void *data)
+ } else {
+ fcport->login_retry = 0;
+ }
+- if (fcport->login_retry == 0)
++ if (fcport->login_retry == 0 && status != QLA_SUCCESS)
+ fcport->loop_id = FC_NO_LOOP_ID;
+ }
+ if (test_bit(LOOP_RESYNC_NEEDED, &ha->dpc_flags))
+diff --git a/drivers/serial/dz.c b/drivers/serial/dz.c
+index 116211f..0dddd68 100644
+--- a/drivers/serial/dz.c
++++ b/drivers/serial/dz.c
+@@ -819,7 +819,7 @@ static void dz_console_putchar(struct uart_port *uport, int ch)
+ dz_out(dport, DZ_TCR, mask);
+ iob();
+ udelay(2);
+- } while (loops--);
++ } while (--loops);
+
+ if (loops) /* Cannot send otherwise. */
+ dz_out(dport, DZ_TDR, ch);
+diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c
+index b434df7..274a448 100644
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -482,6 +482,11 @@ static int sprom_extract(struct ssb_bus *bus, struct ssb_sprom *out,
+ goto unsupported;
+ }
+
++ if (out->boardflags_lo == 0xFFFF)
++ out->boardflags_lo = 0; /* per specs */
++ if (out->boardflags_hi == 0xFFFF)
++ out->boardflags_hi = 0; /* per specs */
++
+ return 0;
+ unsupported:
+ ssb_printk(KERN_WARNING PFX "Unsupported SPROM revision %d "
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 68fc521..7f1bc97 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2664,6 +2664,7 @@ loop:
+ if ((status == -ENOTCONN) || (status == -ENOTSUPP))
+ break;
+ }
++ dev_err(hub_dev, "unable to enumerate USB device on port %d\n", port1);
+
+ done:
+ hub_port_disable(hub, port1, 1);
+diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
+index d0360f6..b0e2275 100644
+--- a/drivers/usb/host/ohci-pci.c
++++ b/drivers/usb/host/ohci-pci.c
+@@ -312,11 +312,13 @@ static int ohci_pci_suspend (struct usb_hcd *hcd, pm_message_t message)
+
+ static int ohci_pci_resume (struct usb_hcd *hcd)
+ {
++ struct ohci_hcd *ohci = hcd_to_ohci(hcd);
++
+ set_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
+
+ /* FIXME: we should try to detect loss of VBUS power here */
+ prepare_for_handover(hcd);
+-
++ ohci_writel(ohci, OHCI_INTR_MIE, &ohci->regs->intrenable);
+ return 0;
+ }
+
+diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
+index ed67881..7b02a4a 100644
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -164,6 +164,7 @@ static struct usb_device_id id_table [] = {
+ { USB_DEVICE(0x1199, 0x6812) }, /* Sierra Wireless MC8775 & AC 875U */
+ { USB_DEVICE(0x1199, 0x6813) }, /* Sierra Wireless MC8775 (Thinkpad internal) */
+ { USB_DEVICE(0x1199, 0x6815) }, /* Sierra Wireless MC8775 */
++ { USB_DEVICE(0x03f0, 0x1e1d) }, /* HP hs2300 a.k.a MC8775 */
+ { USB_DEVICE(0x1199, 0x6820) }, /* Sierra Wireless AirCard 875 */
+ { USB_DEVICE(0x1199, 0x6832) }, /* Sierra Wireless MC8780*/
+ { USB_DEVICE(0x1199, 0x6833) }, /* Sierra Wireless MC8781*/
+diff --git a/fs/aio.c b/fs/aio.c
+index 2283686..ae94e1d 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1166,7 +1166,10 @@ retry:
+ break;
+ if (min_nr <= i)
+ break;
+- ret = 0;
++ if (unlikely(ctx->dead)) {
++ ret = -EINVAL;
++ break;
++ }
+ if (to.timed_out) /* Only check after read evt */
+ break;
+ /* Try to only show up in io wait if there are ops
+@@ -1231,6 +1234,13 @@ static void io_destroy(struct kioctx *ioctx)
+
+ aio_cancel_all(ioctx);
+ wait_for_all_aios(ioctx);
++
++ /*
++ * Wake up any waiters. The setting of ctx->dead must be seen
++ * by other CPUs at this point. Right now, we rely on the
++ * locking done by the above calls to ensure this consistency.
++ */
++ wake_up(&ioctx->wait);
+ put_ioctx(ioctx); /* once for the lookup */
+ }
+
+diff --git a/fs/dnotify.c b/fs/dnotify.c
+index 28d01ed..eaecc4c 100644
+--- a/fs/dnotify.c
++++ b/fs/dnotify.c
+@@ -20,6 +20,7 @@
+ #include <linux/init.h>
+ #include <linux/spinlock.h>
+ #include <linux/slab.h>
++#include <linux/file.h>
+
+ int dir_notify_enable __read_mostly = 1;
+
+@@ -66,6 +67,7 @@ int fcntl_dirnotify(int fd, struct file *filp, unsigned long arg)
+ struct dnotify_struct **prev;
+ struct inode *inode;
+ fl_owner_t id = current->files;
++ struct file *f;
+ int error = 0;
+
+ if ((arg & ~DN_MULTISHOT) == 0) {
+@@ -92,6 +94,15 @@ int fcntl_dirnotify(int fd, struct file *filp, unsigned long arg)
+ prev = &odn->dn_next;
+ }
+
++ rcu_read_lock();
++ f = fcheck(fd);
++ rcu_read_unlock();
++ /* we'd lost the race with close(), sod off silently */
++ /* note that inode->i_lock prevents reordering problems
++ * between accesses to descriptor table and ->i_dnotify */
++ if (f != filp)
++ goto out_free;
++
+ error = __f_setown(filp, task_pid(current), PIDTYPE_PID, 0);
+ if (error)
+ goto out_free;
+diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
+index a1db918..4c895f3 100644
+--- a/fs/jffs2/erase.c
++++ b/fs/jffs2/erase.c
+@@ -419,9 +419,6 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
+ if (jffs2_write_nand_cleanmarker(c, jeb))
+ goto filebad;
+ }
+-
+- /* Everything else got zeroed before the erase */
+- jeb->free_size = c->sector_size;
+ } else {
+
+ struct kvec vecs[1];
+@@ -449,18 +446,19 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
+
+ goto filebad;
+ }
+-
+- /* Everything else got zeroed before the erase */
+- jeb->free_size = c->sector_size;
+- /* FIXME Special case for cleanmarker in empty block */
+- jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
+ }
++ /* Everything else got zeroed before the erase */
++ jeb->free_size = c->sector_size;
+
+ down(&c->erase_free_sem);
+ spin_lock(&c->erase_completion_lock);
++
+ c->erasing_size -= c->sector_size;
+- c->free_size += jeb->free_size;
+- c->used_size += jeb->used_size;
++ c->free_size += c->sector_size;
++
++ /* Account for cleanmarker now, if it's in-band */
++ if (c->cleanmarker_size && !jffs2_cleanmarker_oob(c))
++ jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
+
+ jffs2_dbg_acct_sanity_check_nolock(c,jeb);
+ jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
+diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h
+index b9e1740..44c81c7 100644
+--- a/include/linux/rtnetlink.h
++++ b/include/linux/rtnetlink.h
+@@ -740,13 +740,13 @@ extern void rtmsg_ifinfo(int type, struct net_device *dev, unsigned change);
+ extern void rtnl_lock(void);
+ extern void rtnl_unlock(void);
+ extern int rtnl_trylock(void);
++extern int rtnl_is_locked(void);
+
+ extern void rtnetlink_init(void);
+ extern void __rtnl_unlock(void);
+
+ #define ASSERT_RTNL() do { \
+- if (unlikely(rtnl_trylock())) { \
+- rtnl_unlock(); \
++ if (unlikely(!rtnl_is_locked())) { \
+ printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \
+ __FILE__, __LINE__); \
+ dump_stack(); \
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 4fd3eb2..d69d12e 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -776,11 +776,14 @@ extern void tcp_enter_cwr(struct sock *sk, const int set_ssthresh);
+ extern __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst);
+
+ /* Slow start with delack produces 3 packets of burst, so that
+- * it is safe "de facto".
++ * it is safe "de facto". This will be the default - same as
++ * the default reordering threshold - but if reordering increases,
++ * we must be able to allow cwnd to burst at least this much in order
++ * to not pull it back when holes are filled.
+ */
+ static __inline__ __u32 tcp_max_burst(const struct tcp_sock *tp)
+ {
+- return 3;
++ return tp->reordering;
+ }
+
+ /* Returns end sequence number of the receiver's advertised window */
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 0d255ae..97577de 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -435,6 +435,9 @@ struct xfrm_tmpl
+ /* May skip this transfomration if no SA is found */
+ __u8 optional;
+
++/* Skip aalgos/ealgos/calgos checks. */
++ __u8 allalgs;
++
+ /* Bit mask of algos allowed for acquisition */
+ __u32 aalgos;
+ __u32 ealgos;
+diff --git a/kernel/cgroup.c b/kernel/cgroup.c
+index 2727f92..6d8de05 100644
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -1722,7 +1722,12 @@ void cgroup_enable_task_cg_lists(void)
+ use_task_css_set_links = 1;
+ do_each_thread(g, p) {
+ task_lock(p);
+- if (list_empty(&p->cg_list))
++ /*
++ * We should check if the process is exiting, otherwise
++ * it will race with cgroup_exit() in that the list
++ * entry won't be deleted though the process has exited.
++ */
++ if (!(p->flags & PF_EXITING) && list_empty(&p->cg_list))
+ list_add(&p->cg_list, &p->cgroups->tasks);
+ task_unlock(p);
+ } while_each_thread(g, p);
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index 98bee01..c15a359 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -590,7 +590,6 @@ static inline int hrtimer_enqueue_reprogram(struct hrtimer *timer,
+ list_add_tail(&timer->cb_entry,
+ &base->cpu_base->cb_pending);
+ timer->state = HRTIMER_STATE_PENDING;
+- raise_softirq(HRTIMER_SOFTIRQ);
+ return 1;
+ default:
+ BUG();
+@@ -633,6 +632,11 @@ static int hrtimer_switch_to_hres(void)
+ return 1;
+ }
+
++static inline void hrtimer_raise_softirq(void)
++{
++ raise_softirq(HRTIMER_SOFTIRQ);
++}
++
+ #else
+
+ static inline int hrtimer_hres_active(void) { return 0; }
+@@ -651,6 +655,7 @@ static inline int hrtimer_reprogram(struct hrtimer *timer,
+ {
+ return 0;
+ }
++static inline void hrtimer_raise_softirq(void) { }
+
+ #endif /* CONFIG_HIGH_RES_TIMERS */
+
+@@ -850,7 +855,7 @@ hrtimer_start(struct hrtimer *timer, ktime_t tim, const enum hrtimer_mode mode)
+ {
+ struct hrtimer_clock_base *base, *new_base;
+ unsigned long flags;
+- int ret;
++ int ret, raise;
+
+ base = lock_hrtimer_base(timer, &flags);
+
+@@ -884,8 +889,18 @@ hrtimer_start(struct hrtimer *timer, ktime_t tim, const enum hrtimer_mode mode)
+ enqueue_hrtimer(timer, new_base,
+ new_base->cpu_base == &__get_cpu_var(hrtimer_bases));
+
++ /*
++ * The timer may be expired and moved to the cb_pending
++ * list. We can not raise the softirq with base lock held due
++ * to a possible deadlock with runqueue lock.
++ */
++ raise = timer->state == HRTIMER_STATE_PENDING;
++
+ unlock_hrtimer_base(timer, &flags);
+
++ if (raise)
++ hrtimer_raise_softirq();
++
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(hrtimer_start);
+@@ -1080,8 +1095,19 @@ static void run_hrtimer_pending(struct hrtimer_cpu_base *cpu_base)
+ * If the timer was rearmed on another CPU, reprogram
+ * the event device.
+ */
+- if (timer->base->first == &timer->node)
+- hrtimer_reprogram(timer, timer->base);
++ struct hrtimer_clock_base *base = timer->base;
++
++ if (base->first == &timer->node &&
++ hrtimer_reprogram(timer, base)) {
++ /*
++ * Timer is expired. Thus move it from tree to
++ * pending list again.
++ */
++ __remove_hrtimer(timer, base,
++ HRTIMER_STATE_PENDING, 0);
++ list_add_tail(&timer->cb_entry,
++ &base->cpu_base->cb_pending);
++ }
+ }
+ }
+ spin_unlock_irq(&cpu_base->lock);
+diff --git a/mm/pagewalk.c b/mm/pagewalk.c
+index 1cf1417..0afd238 100644
+--- a/mm/pagewalk.c
++++ b/mm/pagewalk.c
+@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
+ int err = 0;
+
+ pte = pte_offset_map(pmd, addr);
+- do {
++ for (;;) {
+ err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
+ if (err)
+ break;
+- } while (pte++, addr += PAGE_SIZE, addr != end);
++ addr += PAGE_SIZE;
++ if (addr == end)
++ break;
++ pte++;
++ }
+
+ pte_unmap(pte);
+ return err;
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 94cd7f2..c92cb8e 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket *sock, int level, int optname,
+ int fsize = ro->count * sizeof(struct can_filter);
+ if (len > fsize)
+ len = fsize;
+- err = copy_to_user(optval, ro->filter, len);
++ if (copy_to_user(optval, ro->filter, len))
++ err = -EFAULT;
+ } else
+ len = 0;
+ release_sock(sk);
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 2bd9c5f..0cb2772 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -82,6 +82,11 @@ int rtnl_trylock(void)
+ return mutex_trylock(&rtnl_mutex);
+ }
+
++int rtnl_is_locked(void)
++{
++ return mutex_is_locked(&rtnl_mutex);
++}
++
+ static struct rtnl_link *rtnl_msg_handlers[NPROTO];
+
+ static inline int rtm_msgindex(int msgtype)
+@@ -1389,6 +1394,7 @@ EXPORT_SYMBOL(rtnetlink_put_metrics);
+ EXPORT_SYMBOL(rtnl_lock);
+ EXPORT_SYMBOL(rtnl_trylock);
+ EXPORT_SYMBOL(rtnl_unlock);
++EXPORT_SYMBOL(rtnl_is_locked);
+ EXPORT_SYMBOL(rtnl_unicast);
+ EXPORT_SYMBOL(rtnl_notify);
+ EXPORT_SYMBOL(rtnl_set_sk_err);
+diff --git a/net/dccp/probe.c b/net/dccp/probe.c
+index 7053bb8..44eddcf 100644
+--- a/net/dccp/probe.c
++++ b/net/dccp/probe.c
+@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct file *file, char __user *buf,
+ goto out_free;
+
+ cnt = kfifo_get(dccpw.fifo, tbuf, len);
+- error = copy_to_user(buf, tbuf, cnt);
++ error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;
+
+ out_free:
+ vfree(tbuf);
+diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
+index 87dd5bf..a79a547 100644
+--- a/net/ipv4/tcp_probe.c
++++ b/net/ipv4/tcp_probe.c
+@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
+
+ width = tcpprobe_sprint(tbuf, sizeof(tbuf));
+
+- if (width < len)
++ if (cnt + width < len)
+ tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
+
+ spin_unlock_bh(&tcp_probe.lock);
+
+ /* if record greater than space available
+ return partial buffer (so far) */
+- if (width >= len)
++ if (cnt + width >= len)
+ break;
+
+- error = copy_to_user(buf + cnt, tbuf, width);
+- if (error)
+- break;
++ if (copy_to_user(buf + cnt, tbuf, width))
++ return -EFAULT;
+ cnt += width;
+ }
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index e9ef9af..5ceab25 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1856,7 +1856,7 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
+ t->encap_family = xp->family;
+
+ /* No way to set this via kame pfkey */
+- t->aalgos = t->ealgos = t->calgos = ~0;
++ t->allalgs = 1;
+ xp->xfrm_nr++;
+ return 0;
+ }
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 063cbc5..f9293c7 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -760,8 +760,10 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+
+ rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause,
+ &diagnostic);
+- if (!rose->neighbour)
+- return -ENETUNREACH;
++ if (!rose->neighbour) {
++ err = -ENETUNREACH;
++ goto out_release;
++ }
+
+ rose->lci = rose_new_lci(rose->neighbour);
+ if (!rose->lci) {
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 2290903..ac04733 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *sock,
+ else if (len < sizeof(value)) {
+ res = -EINVAL;
+ }
+- else if ((res = copy_to_user(ov, &value, sizeof(value)))) {
+- /* couldn't return value */
++ else if (copy_to_user(ov, &value, sizeof(value))) {
++ res = -EFAULT;
+ }
+ else {
+ res = put_user(sizeof(value), ol);
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 9fc4c31..c44076c 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1772,7 +1772,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
+ (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
+ (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
+ x->props.mode == tmpl->mode &&
+- ((tmpl->aalgos & (1<<x->props.aalgo)) ||
++ (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
+ !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
+ !(x->props.mode != XFRM_MODE_TRANSPORT &&
+ xfrm_state_addr_cmp(tmpl, x, family));
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 019d21d..12f19be 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -975,6 +975,8 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
+ t->aalgos = ut->aalgos;
+ t->ealgos = ut->ealgos;
+ t->calgos = ut->calgos;
++ /* If all masks are ~0, then we allow all algorithms. */
++ t->allalgs = !~(t->aalgos & t->ealgos & t->calgos);
+ t->encap_family = ut->family;
+ }
+ }
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index d39b59c..f4fa982 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -756,9 +756,18 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
+ int set_context = (oldsbsec->flags & CONTEXT_MNT);
+ int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
+
+- /* we can't error, we can't save the info, this shouldn't get called
+- * this early in the boot process. */
+- BUG_ON(!ss_initialized);
++ /*
++ * if the parent was able to be mounted it clearly had no special lsm
++ * mount options. thus we can safely put this sb on the list and deal
++ * with it later
++ */
++ if (!ss_initialized) {
++ spin_lock(&sb_security_lock);
++ if (list_empty(&newsbsec->list))
++ list_add(&newsbsec->list, &superblock_security_head);
++ spin_unlock(&sb_security_lock);
++ return;
++ }
+
+ /* how can we clone if the old one wasn't set up?? */
+ BUG_ON(!oldsbsec->initialized);
Added: dists/sid/linux-2.6/debian/patches/series/2
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/2 Fri May 2 09:50:14 2008
@@ -0,0 +1 @@
++ bugfix/all/stable/2.6.25.1
More information about the Kernel-svn-changes
mailing list