# This is a BitKeeper generated patch for the following project: # Project Name: Linux kernel tree # This patch format is intended for GNU patch command version 2.5 or higher. # This patch includes the following deltas: # ChangeSet v2.6.0-test11 -> 1.1530 # arch/i386/mm/fault.c 1.28 -> 1.29 # drivers/scsi/libata-core.c 1.7 -> 1.8 # fs/libfs.c 1.27 -> 1.28 # drivers/net/pci-skeleton.c 1.25 -> 1.26 # drivers/usb/storage/jumpshot.c 1.19 -> 1.20 # drivers/usb/image/Kconfig 1.5 -> 1.6 # kernel/fork.c 1.146 -> 1.148 # drivers/net/wireless/airo.c 1.79 -> 1.80 # drivers/i2c/busses/i2c-nforce2.c 1.7 -> 1.8 # drivers/md/raid5.c 1.78 -> 1.79 # include/linux/blkdev.h 1.128 -> 1.129 # fs/hpfs/dir.c 1.12 -> 1.13 # drivers/net/pcnet32.c 1.43 -> 1.44 # net/ipv4/tcp_ipv4.c 1.77 -> 1.78 # drivers/usb/misc/auerswald.c 1.35 -> 1.36 # drivers/usb/serial/usb-serial.c 1.93 -> 1.95 # net/ipv4/netfilter/ip_conntrack_standalone.c 1.22 -> 1.23 # drivers/ide/ide-cd.c 1.61 -> 1.62 # drivers/usb/core/hub.c 1.79 -> 1.82 # scripts/file2alias.c 1.6 -> 1.7 # drivers/usb/core/devio.c 1.54 -> 1.55 # drivers/usb/core/usb.c 1.144 -> 1.145 # drivers/net/r8169.c 1.16 -> 1.17 # include/linux/list.h 1.38 -> 1.39 # net/ipv6/tcp_ipv6.c 1.75 -> 1.76 # mm/mmap.c 1.93 -> 1.95 # fs/proc/base.c 1.59 -> 1.60 # net/sched/sch_htb.c 1.15 -> 1.17 # drivers/scsi/ide-scsi.c 1.33 -> 1.34 # include/linux/rtnetlink.h 1.26 -> 1.27 # kernel/sched.c 1.224 -> 1.225 # net/ipv6/udp.c 1.54 -> 1.55 # kernel/exit.c 1.119 -> 1.120 # lib/kobject.c 1.31 -> 1.32 # include/asm-x86_64/msr.h 1.5 -> 1.6 # net/bridge/br_netfilter.c 1.16 -> 1.17 # drivers/usb/storage/datafab.c 1.17 -> 1.18 # net/ipv4/netfilter/ip_conntrack_proto_tcp.c 1.10 -> 1.11 # drivers/block/scsi_ioctl.c 1.36 -> 1.38 # drivers/ide/ide-cd.h 1.6 -> 1.7 # drivers/net/sis190.c 1.15 -> 1.16 # # The following is the BitKeeper ChangeSet Log # -------------------------------------------- # 03/11/26 torvalds@home.osdl.org 1.1496 # Linux 2.6.0-test11 # -------------------------------------------- # 03/12/01 hirofumi@mail.parknet.co.jp 1.1497 # [PATCH] Missing initialization of /proc/net/tcp seq_file # # We need to initialize st->state in tcp_seq_start(). Otherwise # tcp_seq_stop() is run with previous st->state, and it calls the unneeded # unlock etc, causing a kernel crash. # -------------------------------------------- # 03/12/01 mingo@elte.hu 1.1498 # [PATCH] Fix lost wakeups problem # # When doing sync wakeups we must not skip the notification of other cpus # if the task is not on this runqueue. # -------------------------------------------- # 03/12/02 torvalds@home.osdl.org 1.1499 # Fix x86 kernel page fault error codes # -------------------------------------------- # 03/12/02 torvalds@home.osdl.org 1.1500 # Fix ide-scsi.c uninitialized variable # -------------------------------------------- # 03/12/03 yoshfuji@linux-ipv6.org 1.1501 # [IPV6]: Fix ipv4 mapped address calculation in udpv6_sendmsg(). # -------------------------------------------- # 03/12/03 laforge@netfilter.org 1.1502 # [NETFILTER]: Sanitize ip_ct_tcp_timeout_close_wait value, from 2.4.x # -------------------------------------------- # 03/12/03 pavlin@icir.org 1.1503 # [RTNETLINK]: Add RTPROT_XORP. # -------------------------------------------- # 03/12/03 mingo@elte.hu 1.1500.1.1 # [PATCH] Fix /proc access to dead thread group list oops # # The pid_alive() check within the loop is incorrect. If we are within # the tasklist lock and the thread group leader is valid then the thread # chain will be fully intact. # # Instead, the check should be _outside_ the loop, since if the group # leader no longer exists, the whole list is gone and we must not try # to access it. # # Move the check around, and add comment. # # Bug-hunting and fix by Srivatsa Vaddagiri # -------------------------------------------- # 03/12/03 torvalds@home.osdl.org 1.1504 # Merge master.kernel.org:/home/davem/BK/net-2.5 # into home.osdl.org:/home/torvalds/v2.5/linux # -------------------------------------------- # 03/12/04 axboe@suse.de 1.1505 # [PATCH] fix broken x86_64 rdtscll # # The scheduler is completed b0rked on x86_64, and I finally found out # why. sched_clock() always returned 0, because rdtscll() always returned # 0. The 'a' in the macro doesn't agree with the 'a' in the function, # yippe :-) # # This is a show stopper for x86_64. # -------------------------------------------- # 03/12/04 khali@linux-fr.org 1.1504.1.1 # [PATCH] I2C: fix i2c_smbus_write_byte() for i2c-nforce2 # # This patch fixes i2c_smbus_write_byte() being broken for i2c-nforce2. # This causes trouble when that module is used together with eeprom (which # is also in 2.6). We have had three user reports about the problem. # # Credits go to Mark D. Studebaker for finding and fixing the problem. # -------------------------------------------- # 03/12/04 torvalds@home.osdl.org 1.1506 # Merge bk://linuxusb.bkbits.net/i2c-2.6 # into home.osdl.org:/home/torvalds/v2.5/linux # -------------------------------------------- # 03/12/04 drepper@redhat.com 1.1507 # [PATCH] Fix 'noexec' behaviour # # We should not allow mmap() with PROT_EXEC on mounts marked "noexec", # since otherwise there is no way for user-supplied executable loaders # (like ld.so and emulator environments) to properly honour the # "noexec"ness of the target. # -------------------------------------------- # 03/12/05 davem@nuts.ninka.net 1.1506.1.1 # [NETFILTER]: In conntrack, do not fragment TSO packets by accident. # -------------------------------------------- # 03/12/05 ja@ssi.bg 1.1506.1.2 # [BRIDGE]: Provide correct TOS value to IPv4 routing. # -------------------------------------------- # 03/12/05 torvalds@home.osdl.org 1.1508 # Merge master.kernel.org:/home/davem/BK/net-2.5 # into home.osdl.org:/home/torvalds/v2.5/linux # -------------------------------------------- # 03/12/05 jgarzik@pobox.com 1.1509 # [PATCH] fix use-after-free in libata # # Fixes oops some were seeing on module unload. # # Caught by Jon Burgess. # -------------------------------------------- # 03/12/05 jgarzik@pobox.com 1.1510 # [PATCH] fix oops on unload in pcnet32 # # The driver was calling pci_unregister_driver for each _device_, and then # again at the end of the module unload routine. Remove the call that's # inside the loop, pci_unregister_driver should only be called once. # # Caught by Don Fry (and many others) # -------------------------------------------- # 03/12/05 jgarzik@pobox.com 1.1511 # [PATCH] remove manual driver poisoning of net_device # # From: Al Viro # # Such poisoning can cause oopses either because the refcount is not # zero when the poisoning occurs, or due to kernel debugging options # being enabled. # -------------------------------------------- # 03/12/06 torvalds@home.osdl.org 1.1512 # Fix the PROT_EXEC breakage on anonymous mmap. # # Clean up the tests while at it. # -------------------------------------------- # 03/12/07 jgarzik@pobox.com 1.1513 # [PATCH] wireless airo oops fix # # From Javier Achirica: # # Delay MIC activation to prevent Oops # -------------------------------------------- # 03/12/07 davem@nuts.ninka.net 1.1512.1.1 # [PKT_SCHED]: Do not dereference the special pointer value 'HTB_DIRECT'. # # Based upon a patch from devik. # -------------------------------------------- # 03/12/07 devik@cdi.cz 1.1512.1.2 # [PKT_SCHED]: In HTB, filters must be destroyed before the classes. # -------------------------------------------- # 03/12/07 torvalds@home.osdl.org 1.1514 # Merge master.kernel.org:/home/davem/BK/net-2.5 # into home.osdl.org:/home/torvalds/v2.5/linux # -------------------------------------------- # 03/12/07 James_McMechan@hotmail.com 1.1515 # [PATCH] tmpfs oops fix # # The problem was that the cursor was in the list being walked, and when # the pointer pointed to the cursor the list_del/list_add_tail pair would # oops trying to find the entry pointed to by the prev pointer of the # deleted cursor element. # # The solution I found was to move the list_del earlier, before the # beginning of the list walk. since it is not used during the list walk and # should not count in the list enumeration it can be deleted, then the # list pointer cannot point to it so it can be added safely with the # list_add_tail without oopsing, and everything works as expected. # # I am unable to oops this version with any of my test programs. # # Patch acked by Al Viro. # -------------------------------------------- # 03/12/08 greg@kroah.com 1.1516 # [PATCH] USB: register usb-serial ports in the proper place in sysfs # # They should be bound to the interface the driver is attached to, not # the device. # -------------------------------------------- # 03/12/08 david-b@pacbell.net 1.1517 # [PATCH] USB: fix remove device after set_configuration # # If a device can't be configured, the current test9 code forgets # to clean it out of sysfs. This resolves that issue, so the retry # in usb_new_device() stands a chance of working. # # The enumeration code still doesn't handle such errors well, but # at least this way that hub port can be used for another device. # -------------------------------------------- # 03/12/08 greg@kroah.com 1.1518 # [PATCH] USB: fix race with hub devices disconnecting while stuff is still happening to them. # -------------------------------------------- # 03/12/08 acme@conectiva.com.br 1.1515.1.1 # [IPV6]: Fix TCP socket leak. # # TCP IPV6 ->hash() method should not grab a socket reference. # -------------------------------------------- # 03/12/09 axboe@suse.de 1.1515.1.2 # [PATCH] scsi_ioctl memcpy'ing user address # # James reported a bug in scsi_ioctl.c where it mem copies a user pointer # instead of using copy_from_user(). I inadvertently introduced this one # when getting rid of CDROM_SEND_PACKET. Here's a trivial patch to fix it. # -------------------------------------------- # 03/12/09 mdharm-usb@one-eyed-alien.net 1.1519 # [PATCH] USB storage: fix for jumpshot and datafab devices # # This patch fixes some obvious errors in the jumpshot and datafab drivers. # # This should close out Bugzilla bug #1408 # # > Date: Mon, 1 Dec 2003 12:14:53 -0500 (EST) # > From: Alan Stern # > Subject: Patch from Eduard Hasenleithner # > To: Matthew Dharm # > cc: USB Storage List # > # > Matt: # > # > Did you see this patch? It was posted to the usb-development mailing list # > about a week ago, before I started making all my changes. It is clearly # > correct and necessary. # > # > Alan Stern # -------------------------------------------- # 03/12/09 trini@kernel.crashing.org 1.1520 # [PATCH] USB: mark the scanner driver as obsolete # # On Mon, Dec 01, 2003 at 11:21:58AM -0800, Greg KH wrote: # > Can't you use xsane without the scanner kernel driver? I thought the # > latest versions used libusb/usbfs to talk directly to the hardware. # > Because of this, the USB scanner driver is marked to be removed from the # > kernel sometime in the near future. # # After a bit of mucking around (and possibly finding a bug with debian's # libusb/xsane/hotplug interaction, nothing seems to run # /etc/hotplug/usb/libusbscanner and thus only root can scan, anyone whose # got this working please let me know), the problem does not exist if I # only use libusb xsane. # # How about the following: # -------------------------------------------- # 03/12/09 oliver@neukum.org 1.1521 # [PATCH] USB: fix sleping in interrupt bug in auerswald driver # # this fixes two instances of GFP_KERNEL from completion handlers. # -------------------------------------------- # 03/12/09 oliver@neukum.org 1.1522 # [PATCH] USB: fix race with signal delivery in usbfs # # apart from locking bugs, there are other races. This fixes one with # signal delivery. The signal should be delivered _before_ the reciever # is woken. # -------------------------------------------- # 03/12/09 stern@rowland.harvard.edu 1.1523 # [PATCH] USB: fix bug not setting device state following usb_device_reset() # -------------------------------------------- # 03/12/09 herbert@gondor.apana.org.au 1.1524 # [PATCH] USB: Fix connect/disconnect race # # This patch was integrated by you in 2.4 six months ago. Unfortunately # it never got into 2.5. Without it you can end up with crashes such # as http://bugs.debian.org/218670 # -------------------------------------------- # 03/12/10 greg@kroah.com 1.1525 # [PATCH] USB: fix bug for multiple opens on ttyUSB devices. # # This patch fixes the bug where running ppp over a ttyUSB device would fail. # -------------------------------------------- # 03/12/10 arvidjaar@mail.ru 1.1526 # [PATCH] USB: prevent catch-all USB aliases in modules.alias # # visor.c defines one empty slot in USB ids table that can be filled in at # runtime using module parameters. file2alias generates catch-all alias for it: # # alias usb:v*p*dl*dh*dc*dsc*dp*ic*isc*ip* visor # # patch adds the same sanity check as in depmod to scripts/file2alias. # -------------------------------------------- # 03/12/10 greg@kroah.com 1.1527 # Merge kroah.com:/home/greg/linux/BK/bleed-2.5 # into kroah.com:/home/greg/linux/BK/usb-2.6 # -------------------------------------------- # 03/12/11 greg@kroah.com 1.1528 # kobject: fix bug where a parent could be deleted before a child device. # -------------------------------------------- # 03/12/12 torvalds@home.osdl.org 1.1515.1.3 # Fix subtle bug in "finish_wait()", which can cause kernel stack # corruption on SMP because of another CPU still accessing a waitqueue # even after it was de-allocated. # # Use a careful version of the list emptiness check to make sure we # don't de-allocate the stack frame before the waitqueue is all done. # -------------------------------------------- # 03/12/13 axboe@suse.de 1.1515.1.4 # [PATCH] no bio unmap on cdb copy failure # # The previous scsi_ioctl.c patch didn't cleanup the buffer/bio in the # error case. # # Fix it by copying the command data earlier. # -------------------------------------------- # 03/12/13 l.s.r@web.de 1.1515.1.5 # [PATCH] HPFS: missing lock_kernel() in hpfs_readdir() # # In 2.5.x, the BKL was pushed from vfs_readdir() into the filesystem # specific functions. But only the unlock_kernel() made it into the HPFS # code, lock_kernel() got lost on the way. This rendered the filesystem # unusable. # # This adds the missing lock_kernel(). It's been tested by Timo Maier who # also reported the problem earlier today. # -------------------------------------------- # 03/12/13 torvalds@home.osdl.org 1.1515.1.6 # More subtle SMP bugs in prepare_to_wait()/finish_wait(). # # This time we have a SMP memory ordering issue in prepare_to_wait(), # where we really need to make sure that subsequent tests for the # event we are waiting for can not migrate up to before the wait # queue has been set up. # -------------------------------------------- # 03/12/14 torvalds@home.osdl.org 1.1515.1.7 # Fix thread group leader zombie leak # # Petr Vandrovec noticed a problem where the thread group leader # would not be properly reaped if the parent of the thread group # was ignoring SIGCHLD, and the thread group leader had exited # before the last sub-thread. # # Fixed by Ingo Molnar. # -------------------------------------------- # 03/12/15 neilb@cse.unsw.edu.au 1.1515.1.8 # [PATCH] Fix possible bio corruption with RAID5 # # 1/ make sure raid5 doesn't try to handle multiple overlaping # requests at the same time as this would confuse things badly. # Currently it justs BUGs if this is attempted. # 2/ Fix a possible data-loss-on-write problem. If two or # more bio's that write to the same page are processed at the # same time, only the first was actually commited to storage. # 3/ Fix a use-after-free bug. raid5 keeps the bio's it is given # in linked lists when more than one bio touch a single page. # In some cases the tail of this list can be freed, and # the current test for 'are we at the end' isn't reliable. # This patch strengths the test to make it reliable. # -------------------------------------------- # 03/12/15 torvalds@home.osdl.org 1.1529 # Merge bk://linuxusb.bkbits.net/gregkh-2.6 # into home.osdl.org:/home/torvalds/v2.5/linux # -------------------------------------------- # 03/12/16 axboe@suse.de 1.1530 # [PATCH] Fix IDE bus reset and DMA disable when reading blank DVD-R # # From Jon Burgess: # # There is a problems with blank DVD media using the ide-cd driver. # # When we attempt to read the blank disk, the drive responds to the read # request by returning a "blank media" error. The kernel doesn't have # any special case handling for this sense value and retries the request # a couple of times, then gives up and does a bus reset and disables DMA # to the device. # # Which obviously doesn't help the situation. # # The sense key value of 8 isn't listed in ide-cd.h, but it is listed in # scsi.h as a "BLANK_CHECK" error. # # This trivial patch treats this error condition as a reason to abort # the request. This behaviour is the same as what we do with a blank CD-R. # # It looks like the same fix might be desired for 2.4 as well, although # is perhaps not so important since scsi-ide is normally used instead. # -------------------------------------------- # diff -Nru a/arch/i386/mm/fault.c b/arch/i386/mm/fault.c --- a/arch/i386/mm/fault.c Tue Dec 16 20:35:41 2003 +++ b/arch/i386/mm/fault.c Tue Dec 16 20:35:41 2003 @@ -359,7 +359,8 @@ return; tsk->thread.cr2 = address; - tsk->thread.error_code = error_code; + /* Kernel addresses are always protection faults */ + tsk->thread.error_code = error_code | (address >= TASK_SIZE); tsk->thread.trap_no = 14; info.si_signo = SIGSEGV; info.si_errno = 0; diff -Nru a/drivers/block/scsi_ioctl.c b/drivers/block/scsi_ioctl.c --- a/drivers/block/scsi_ioctl.c Tue Dec 16 20:35:41 2003 +++ b/drivers/block/scsi_ioctl.c Tue Dec 16 20:35:41 2003 @@ -150,6 +150,7 @@ struct request *rq; struct bio *bio; char sense[SCSI_SENSE_BUFFERSIZE]; + unsigned char cdb[BLK_MAX_CDB]; void *buffer; if (hdr->interface_id != 'S') @@ -166,6 +167,9 @@ if (hdr->dxfer_len > (q->max_sectors << 9)) return -EIO; + if (copy_from_user(cdb, hdr->cmdp, hdr->cmd_len)) + return -EFAULT; + reading = writing = 0; buffer = NULL; bio = NULL; @@ -216,7 +220,7 @@ * fill in request structure */ rq->cmd_len = hdr->cmd_len; - memcpy(rq->cmd, hdr->cmdp, hdr->cmd_len); + memcpy(rq->cmd, cdb, hdr->cmd_len); if (sizeof(rq->cmd) != hdr->cmd_len) memset(rq->cmd + hdr->cmd_len, 0, sizeof(rq->cmd) - hdr->cmd_len); diff -Nru a/drivers/i2c/busses/i2c-nforce2.c b/drivers/i2c/busses/i2c-nforce2.c --- a/drivers/i2c/busses/i2c-nforce2.c Tue Dec 16 20:35:41 2003 +++ b/drivers/i2c/busses/i2c-nforce2.c Tue Dec 16 20:35:41 2003 @@ -147,7 +147,7 @@ case I2C_SMBUS_BYTE: if (read_write == I2C_SMBUS_WRITE) - outb_p(data->byte, NVIDIA_SMB_DATA); + outb_p(command, NVIDIA_SMB_CMD); protocol |= NVIDIA_SMB_PRTCL_BYTE; break; diff -Nru a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c --- a/drivers/ide/ide-cd.c Tue Dec 16 20:35:41 2003 +++ b/drivers/ide/ide-cd.c Tue Dec 16 20:35:41 2003 @@ -799,6 +799,10 @@ * sector... If we got here the error is not correctable */ ide_dump_status (drive, "media error (bad sector)", stat); do_end_request = 1; + } else if (sense_key == BLANK_CHECK) { + /* Disk appears blank ?? */ + ide_dump_status (drive, "media error (blank)", stat); + do_end_request = 1; } else if ((err & ~ABRT_ERR) != 0) { /* Go to the default handler for other errors. */ diff -Nru a/drivers/ide/ide-cd.h b/drivers/ide/ide-cd.h --- a/drivers/ide/ide-cd.h Tue Dec 16 20:35:41 2003 +++ b/drivers/ide/ide-cd.h Tue Dec 16 20:35:41 2003 @@ -501,6 +501,7 @@ #define ILLEGAL_REQUEST 0x05 #define UNIT_ATTENTION 0x06 #define DATA_PROTECT 0x07 +#define BLANK_CHECK 0x08 #define ABORTED_COMMAND 0x0b #define MISCOMPARE 0x0e @@ -578,7 +579,7 @@ "Illegal request", "Unit attention", "Data protect", - "(reserved)", + "Blank check", "(reserved)", "(reserved)", "Aborted command", diff -Nru a/drivers/md/raid5.c b/drivers/md/raid5.c --- a/drivers/md/raid5.c Tue Dec 16 20:35:41 2003 +++ b/drivers/md/raid5.c Tue Dec 16 20:35:41 2003 @@ -40,6 +40,16 @@ #define stripe_hash(conf, sect) ((conf)->stripe_hashtbl[((sect) >> STRIPE_SHIFT) & HASH_MASK]) +/* bio's attached to a stripe+device for I/O are linked together in bi_sector + * order without overlap. There may be several bio's per stripe+device, and + * a bio could span several devices. + * When walking this list for a particular stripe+device, we must never proceed + * beyond a bio that extends past this device, as the next bio might no longer + * be valid. + * This macro is used to determine the 'next' bio in the list, given the sector + * of the current stripe+device + */ +#define r5_next_bio(bio, sect) ( ( bio->bi_sector + (bio->bi_size>>9) < sect + STRIPE_SECTORS) ? bio->bi_next : NULL) /* * The following can be used to debug the driver */ @@ -613,7 +623,7 @@ int i; for (;bio && bio->bi_sector < sector+STRIPE_SECTORS; - bio = bio->bi_next) { + bio = r5_next_bio(bio, sector) ) { int page_offset; if (bio->bi_sector >= sector) page_offset = (signed)(bio->bi_sector - sector) * 512; @@ -738,7 +748,11 @@ for (i = disks; i--;) if (sh->dev[i].written) { sector_t sector = sh->dev[i].sector; - copy_data(1, sh->dev[i].written, sh->dev[i].page, sector); + struct bio *wbi = sh->dev[i].written; + while (wbi && wbi->bi_sector < sector + STRIPE_SECTORS) { + copy_data(1, wbi, sh->dev[i].page, sector); + wbi = r5_next_bio(wbi, sector); + } set_bit(R5_LOCKED, &sh->dev[i].flags); set_bit(R5_UPTODATE, &sh->dev[i].flags); @@ -791,8 +805,10 @@ bip = &sh->dev[dd_idx].towrite; else bip = &sh->dev[dd_idx].toread; - while (*bip && (*bip)->bi_sector < bi->bi_sector) + while (*bip && (*bip)->bi_sector < bi->bi_sector) { + BUG_ON((*bip)->bi_sector + ((*bip)->bi_size >> 9) > bi->bi_sector); bip = & (*bip)->bi_next; + } /* FIXME do I need to worry about overlapping bion */ if (*bip && bi->bi_next && (*bip) != bi->bi_next) BUG(); @@ -813,7 +829,7 @@ for (bi=sh->dev[dd_idx].towrite; sector < sh->dev[dd_idx].sector + STRIPE_SECTORS && bi && bi->bi_sector <= sector; - bi = bi->bi_next) { + bi = r5_next_bio(bi, sh->dev[dd_idx].sector)) { if (bi->bi_sector + (bi->bi_size>>9) >= sector) sector = bi->bi_sector + (bi->bi_size>>9); } @@ -883,7 +899,7 @@ spin_unlock_irq(&conf->device_lock); while (rbi && rbi->bi_sector < dev->sector + STRIPE_SECTORS) { copy_data(0, rbi, dev->page, dev->sector); - rbi2 = rbi->bi_next; + rbi2 = r5_next_bio(rbi, dev->sector); spin_lock_irq(&conf->device_lock); if (--rbi->bi_phys_segments == 0) { rbi->bi_next = return_bi; @@ -928,7 +944,7 @@ if (bi) to_write--; while (bi && bi->bi_sector < sh->dev[i].sector + STRIPE_SECTORS){ - struct bio *nextbi = bi->bi_next; + struct bio *nextbi = r5_next_bio(bi, sh->dev[i].sector); clear_bit(BIO_UPTODATE, &bi->bi_flags); if (--bi->bi_phys_segments == 0) { md_write_end(conf->mddev); @@ -941,7 +957,7 @@ bi = sh->dev[i].written; sh->dev[i].written = NULL; while (bi && bi->bi_sector < sh->dev[i].sector + STRIPE_SECTORS) { - struct bio *bi2 = bi->bi_next; + struct bio *bi2 = r5_next_bio(bi, sh->dev[i].sector); clear_bit(BIO_UPTODATE, &bi->bi_flags); if (--bi->bi_phys_segments == 0) { md_write_end(conf->mddev); @@ -957,7 +973,7 @@ sh->dev[i].toread = NULL; if (bi) to_read--; while (bi && bi->bi_sector < sh->dev[i].sector + STRIPE_SECTORS){ - struct bio *nextbi = bi->bi_next; + struct bio *nextbi = r5_next_bio(bi, sh->dev[i].sector); clear_bit(BIO_UPTODATE, &bi->bi_flags); if (--bi->bi_phys_segments == 0) { bi->bi_next = return_bi; @@ -1000,7 +1016,7 @@ wbi = dev->written; dev->written = NULL; while (wbi && wbi->bi_sector < dev->sector + STRIPE_SECTORS) { - wbi2 = wbi->bi_next; + wbi2 = r5_next_bio(wbi, dev->sector); if (--wbi->bi_phys_segments == 0) { md_write_end(conf->mddev); wbi->bi_next = return_bi; diff -Nru a/drivers/net/pci-skeleton.c b/drivers/net/pci-skeleton.c --- a/drivers/net/pci-skeleton.c Tue Dec 16 20:35:41 2003 +++ b/drivers/net/pci-skeleton.c Tue Dec 16 20:35:41 2003 @@ -864,13 +864,6 @@ pci_release_regions (pdev); -#ifndef NETDRV_NDEBUG - /* poison memory before freeing */ - memset (dev, 0xBC, - sizeof (struct net_device) + - sizeof (struct netdrv_private)); -#endif /* NETDRV_NDEBUG */ - free_netdev (dev); pci_set_drvdata (pdev, NULL); diff -Nru a/drivers/net/pcnet32.c b/drivers/net/pcnet32.c --- a/drivers/net/pcnet32.c Tue Dec 16 20:35:41 2003 +++ b/drivers/net/pcnet32.c Tue Dec 16 20:35:41 2003 @@ -1766,8 +1766,6 @@ next_dev = lp->next; unregister_netdev(pcnet32_dev); release_region(pcnet32_dev->base_addr, PCNET32_TOTAL_SIZE); - if (lp->pci_dev) - pci_unregister_driver(&pcnet32_driver); pci_free_consistent(lp->pci_dev, sizeof(*lp), lp, lp->dma_addr); free_netdev(pcnet32_dev); pcnet32_dev = next_dev; diff -Nru a/drivers/net/r8169.c b/drivers/net/r8169.c --- a/drivers/net/r8169.c Tue Dec 16 20:35:41 2003 +++ b/drivers/net/r8169.c Tue Dec 16 20:35:41 2003 @@ -642,10 +642,6 @@ iounmap(tp->mmio_addr); pci_release_regions(pdev); - // poison memory before freeing - memset(dev, 0xBC, - sizeof (struct net_device) + sizeof (struct rtl8169_private)); - pci_disable_device(pdev); free_netdev(dev); pci_set_drvdata(pdev, NULL); diff -Nru a/drivers/net/sis190.c b/drivers/net/sis190.c --- a/drivers/net/sis190.c Tue Dec 16 20:35:41 2003 +++ b/drivers/net/sis190.c Tue Dec 16 20:35:41 2003 @@ -703,10 +703,6 @@ iounmap(tp->mmio_addr); pci_release_regions(pdev); - // poison memory before freeing - memset(dev, 0xBC, - sizeof (struct net_device) + sizeof (struct sis190_private)); - free_netdev(dev); pci_set_drvdata(pdev, NULL); } diff -Nru a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c --- a/drivers/net/wireless/airo.c Tue Dec 16 20:35:41 2003 +++ b/drivers/net/wireless/airo.c Tue Dec 16 20:35:41 2003 @@ -2466,11 +2466,8 @@ OUT4500( apriv, EVACK, EV_MIC ); #ifdef MICSUPPORT if (test_bit(FLAG_MIC_CAPABLE, &apriv->flags)) { - if (down_trylock(&apriv->sem) != 0) { - set_bit(JOB_MIC, &apriv->flags); - wake_up_interruptible(&apriv->thr_wait); - } else - micinit (apriv); + set_bit(JOB_MIC, &apriv->flags); + wake_up_interruptible(&apriv->thr_wait); } #endif } diff -Nru a/drivers/scsi/ide-scsi.c b/drivers/scsi/ide-scsi.c --- a/drivers/scsi/ide-scsi.c Tue Dec 16 20:35:41 2003 +++ b/drivers/scsi/ide-scsi.c Tue Dec 16 20:35:41 2003 @@ -517,6 +517,7 @@ pc->current_position=pc->buffer; bcount.all = IDE_MIN(pc->request_transfer, 63 * 1024); /* Request to transfer the entire buffer at once */ + feature.all = 0; if (drive->using_dma && rq->bio) { if (test_bit(PC_WRITING, &pc->flags)) feature.b.dma = !HWIF(drive)->ide_dma_write(drive); diff -Nru a/drivers/scsi/libata-core.c b/drivers/scsi/libata-core.c --- a/drivers/scsi/libata-core.c Tue Dec 16 20:35:41 2003 +++ b/drivers/scsi/libata-core.c Tue Dec 16 20:35:41 2003 @@ -3224,8 +3224,6 @@ scsi_host_put(ap->host); /* FIXME: check return val */ } - kfree(host_set); - pci_release_regions(pdev); for (i = 0; i < host_set->n_ports; i++) { @@ -3242,6 +3240,7 @@ } } + kfree(host_set); pci_disable_device(pdev); pci_set_drvdata(pdev, NULL); } diff -Nru a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c --- a/drivers/usb/core/devio.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/core/devio.c Tue Dec 16 20:35:41 2003 @@ -261,7 +261,6 @@ spin_lock(&ps->lock); list_move_tail(&as->asynclist, &ps->async_completed); spin_unlock(&ps->lock); - wake_up(&ps->wait); if (as->signr) { sinfo.si_signo = as->signr; sinfo.si_errno = as->urb->status; @@ -269,6 +268,7 @@ sinfo.si_addr = (void *)as->userurb; send_sig_info(as->signr, &sinfo, as->task); } + wake_up(&ps->wait); } static void destroy_async (struct dev_state *ps, struct list_head *list) diff -Nru a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c --- a/drivers/usb/core/hub.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/core/hub.c Tue Dec 16 20:35:41 2003 @@ -692,6 +692,9 @@ struct usb_hub *hub = usb_get_intfdata(dev->actconfig->interface[0]); int ret; + if (!hub) + return -ENODEV; + ret = get_port_status(dev, port + 1, &hub->status->port); if (ret < 0) dev_err (hubdev (dev), @@ -926,7 +929,6 @@ break; } - hub->children[port] = dev; dev->state = USB_STATE_POWERED; /* Reset the device, and detect its speed */ @@ -979,8 +981,10 @@ dev->dev.parent = dev->parent->dev.parent->parent; /* Run it through the hoops (find a driver, etc) */ - if (!usb_new_device(dev, &hub->dev)) + if (!usb_new_device(dev, &hub->dev)) { + hub->children[port] = dev; goto done; + } /* Free the configuration if there was an error */ usb_put_dev(dev); @@ -989,7 +993,6 @@ delay = HUB_LONG_RESET_TIME; } - hub->children[port] = NULL; hub_port_disable(hub, port); done: up(&usb_address0_sem); @@ -1342,6 +1345,7 @@ dev->devpath, ret); return ret; } + dev->state = USB_STATE_CONFIGURED; for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { struct usb_interface *intf = dev->actconfig->interface[i]; diff -Nru a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c --- a/drivers/usb/core/usb.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/core/usb.c Tue Dec 16 20:35:41 2003 @@ -1120,6 +1120,7 @@ if (err) { dev_err(&dev->dev, "can't set config #%d, error %d\n", dev->config[0].desc.bConfigurationValue, err); + device_del(&dev->dev); goto fail; } diff -Nru a/drivers/usb/image/Kconfig b/drivers/usb/image/Kconfig --- a/drivers/usb/image/Kconfig Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/image/Kconfig Tue Dec 16 20:35:41 2003 @@ -18,12 +18,14 @@ module will be called mdc800. config USB_SCANNER - tristate "USB Scanner support" + tristate "USB Scanner support (OBSOLETE)" depends on USB help Say Y here if you want to connect a USB scanner to your computer's USB port. Please read for more information. + + This driver has been obsoleted by support via libusb. To compile this driver as a module, choose M here: the module will be called scanner. diff -Nru a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c --- a/drivers/usb/misc/auerswald.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/misc/auerswald.c Tue Dec 16 20:35:41 2003 @@ -324,7 +324,7 @@ urb = acep->urbp; dbg ("auerchain_complete: submitting next urb from chain"); urb->status = 0; /* needed! */ - result = usb_submit_urb(urb, GFP_KERNEL); + result = usb_submit_urb(urb, GFP_ATOMIC); /* check for submit errors */ if (result) { @@ -402,7 +402,7 @@ if (acep) { dbg("submitting urb immediate"); urb->status = 0; /* needed! */ - result = usb_submit_urb(urb, GFP_KERNEL); + result = usb_submit_urb(urb, GFP_ATOMIC); /* check for submit errors */ if (result) { urb->status = result; diff -Nru a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c --- a/drivers/usb/serial/usb-serial.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/serial/usb-serial.c Tue Dec 16 20:35:41 2003 @@ -493,12 +493,15 @@ return retval; } -static void __serial_close(struct usb_serial_port *port, struct file *filp) +static void serial_close(struct tty_struct *tty, struct file * filp) { - if (!port->open_count) { - dbg ("%s - port not opened", __FUNCTION__); + struct usb_serial_port *port = (struct usb_serial_port *) tty->driver_data; + struct usb_serial *serial = get_usb_serial (port, __FUNCTION__); + + if (!serial) return; - } + + dbg("%s - port %d", __FUNCTION__, port->number); --port->open_count; if (port->open_count <= 0) { @@ -506,30 +509,18 @@ * port is being closed by the last owner */ port->serial->type->close(port, filp); port->open_count = 0; + + if (port->tty) { + if (port->tty->driver_data) + port->tty->driver_data = NULL; + port->tty = NULL; + } } module_put(port->serial->type->owner); kobject_put(&port->serial->kobj); } -static void serial_close(struct tty_struct *tty, struct file * filp) -{ - struct usb_serial_port *port = (struct usb_serial_port *) tty->driver_data; - struct usb_serial *serial = get_usb_serial (port, __FUNCTION__); - - if (!serial) - return; - - dbg("%s - port %d", __FUNCTION__, port->number); - - /* if disconnect beat us to the punch here, there's nothing to do */ - if (tty && tty->driver_data) { - __serial_close(port, filp); - tty->driver_data = NULL; - } - port->tty = NULL; -} - static int serial_write (struct tty_struct * tty, int from_user, const unsigned char *buf, int count) { struct usb_serial_port *port = (struct usb_serial_port *) tty->driver_data; @@ -848,19 +839,6 @@ dbg ("%s - %s", __FUNCTION__, kobj->name); serial = to_usb_serial(kobj); - - /* fail all future close/read/write/ioctl/etc calls */ - for (i = 0; i < serial->num_ports; ++i) { - port = serial->port[i]; - if (port->tty != NULL) { - port->tty->driver_data = NULL; - while (port->open_count > 0) { - __serial_close(port, NULL); - } - port->tty = NULL; - } - } - serial_shutdown (serial); /* return the minor range that this device had */ @@ -1242,7 +1220,7 @@ /* register all of the individual ports with the driver core */ for (i = 0; i < num_ports; ++i) { port = serial->port[i]; - port->dev.parent = &serial->dev->dev; + port->dev.parent = &interface->dev; port->dev.driver = NULL; port->dev.bus = &usb_serial_bus_type; port->dev.release = &port_release; diff -Nru a/drivers/usb/storage/datafab.c b/drivers/usb/storage/datafab.c --- a/drivers/usb/storage/datafab.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/storage/datafab.c Tue Dec 16 20:35:41 2003 @@ -387,7 +387,7 @@ // we'll go ahead and extract the media capacity while we're here... // - rc = datafab_bulk_read(us, reply, sizeof(reply)); + rc = datafab_bulk_read(us, reply, 512); if (rc == USB_STOR_XFER_GOOD) { // capacity is at word offset 57-58 // diff -Nru a/drivers/usb/storage/jumpshot.c b/drivers/usb/storage/jumpshot.c --- a/drivers/usb/storage/jumpshot.c Tue Dec 16 20:35:41 2003 +++ b/drivers/usb/storage/jumpshot.c Tue Dec 16 20:35:41 2003 @@ -317,7 +317,7 @@ } // read the reply - rc = jumpshot_bulk_read(us, reply, sizeof(reply)); + rc = jumpshot_bulk_read(us, reply, 512); if (rc != USB_STOR_XFER_GOOD) { rc = USB_STOR_TRANSPORT_ERROR; goto leave; diff -Nru a/fs/hpfs/dir.c b/fs/hpfs/dir.c --- a/fs/hpfs/dir.c Tue Dec 16 20:35:41 2003 +++ b/fs/hpfs/dir.c Tue Dec 16 20:35:41 2003 @@ -65,6 +65,8 @@ int c1, c2 = 0; int ret = 0; + lock_kernel(); + if (hpfs_sb(inode->i_sb)->sb_chk) { if (hpfs_chk_sectors(inode->i_sb, inode->i_ino, 1, "dir_fnode")) { ret = -EFSERROR; diff -Nru a/fs/libfs.c b/fs/libfs.c --- a/fs/libfs.c Tue Dec 16 20:35:41 2003 +++ b/fs/libfs.c Tue Dec 16 20:35:41 2003 @@ -79,6 +79,7 @@ loff_t n = file->f_pos - 2; spin_lock(&dcache_lock); + list_del(&cursor->d_child); p = file->f_dentry->d_subdirs.next; while (n && p != &file->f_dentry->d_subdirs) { struct dentry *next; @@ -87,7 +88,6 @@ n--; p = p->next; } - list_del(&cursor->d_child); list_add_tail(&cursor->d_child, p); spin_unlock(&dcache_lock); } diff -Nru a/fs/proc/base.c b/fs/proc/base.c --- a/fs/proc/base.c Tue Dec 16 20:35:41 2003 +++ b/fs/proc/base.c Tue Dec 16 20:35:41 2003 @@ -1666,10 +1666,14 @@ index -= 2; read_lock(&tasklist_lock); - do { + /* + * The starting point task (leader_task) might be an already + * unlinked task, which cannot be used to access the task-list + * via next_thread(). + */ + if (pid_alive(task)) do { int tid = task->pid; - if (!pid_alive(task)) - continue; + if (--index >= 0) continue; tids[nr_tids] = tid; diff -Nru a/include/asm-x86_64/msr.h b/include/asm-x86_64/msr.h --- a/include/asm-x86_64/msr.h Tue Dec 16 20:35:41 2003 +++ b/include/asm-x86_64/msr.h Tue Dec 16 20:35:41 2003 @@ -50,9 +50,9 @@ __asm__ __volatile__ ("rdtsc" : "=a" (low) : : "edx") #define rdtscll(val) do { \ - unsigned int a,d; \ - asm volatile("rdtsc" : "=a" (a), "=d" (d)); \ - (val) = ((unsigned long)a) | (((unsigned long)d)<<32); \ + unsigned int __a,__d; \ + asm volatile("rdtsc" : "=a" (__a), "=d" (__d)); \ + (val) = ((unsigned long)__a) | (((unsigned long)__d)<<32); \ } while(0) #define rdpmc(counter,low,high) \ diff -Nru a/include/linux/blkdev.h b/include/linux/blkdev.h --- a/include/linux/blkdev.h Tue Dec 16 20:35:41 2003 +++ b/include/linux/blkdev.h Tue Dec 16 20:35:41 2003 @@ -82,6 +82,8 @@ wait_queue_head_t wait[2]; }; +#define BLK_MAX_CDB 16 + /* * try to put the fields that are referenced together in the same cacheline */ @@ -147,7 +149,7 @@ * when request is used as a packet command carrier */ unsigned int cmd_len; - unsigned char cmd[16]; + unsigned char cmd[BLK_MAX_CDB]; unsigned int data_len; void *data; diff -Nru a/include/linux/list.h b/include/linux/list.h --- a/include/linux/list.h Tue Dec 16 20:35:41 2003 +++ b/include/linux/list.h Tue Dec 16 20:35:41 2003 @@ -208,6 +208,18 @@ return head->next == head; } +/** + * list_empty_careful - tests whether a list is + * empty _and_ checks that no other CPU might be + * in the process of still modifying either member + * @head: the list to test. + */ +static inline int list_empty_careful(const struct list_head *head) +{ + struct list_head *next = head->next; + return (next == head) && (next == head->prev); +} + static inline void __list_splice(struct list_head *list, struct list_head *head) { diff -Nru a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h --- a/include/linux/rtnetlink.h Tue Dec 16 20:35:41 2003 +++ b/include/linux/rtnetlink.h Tue Dec 16 20:35:41 2003 @@ -138,6 +138,7 @@ #define RTPROT_ZEBRA 11 /* Zebra */ #define RTPROT_BIRD 12 /* BIRD */ #define RTPROT_DNROUTED 13 /* DECnet routing daemon */ +#define RTPROT_XORP 14 /* XORP */ /* rtm_scope diff -Nru a/kernel/exit.c b/kernel/exit.c --- a/kernel/exit.c Tue Dec 16 20:35:41 2003 +++ b/kernel/exit.c Tue Dec 16 20:35:41 2003 @@ -49,9 +49,11 @@ void release_task(struct task_struct * p) { + int zap_leader; task_t *leader; struct dentry *proc_dentry; - + +repeat: BUG_ON(p->state < TASK_ZOMBIE); atomic_dec(&p->user->processes); @@ -70,10 +72,21 @@ * group, and the leader is zombie, then notify the * group leader's parent process. (if it wants notification.) */ + zap_leader = 0; leader = p->group_leader; - if (leader != p && thread_group_empty(leader) && - leader->state == TASK_ZOMBIE && leader->exit_signal != -1) + if (leader != p && thread_group_empty(leader) && leader->state == TASK_ZOMBIE) { + BUG_ON(leader->exit_signal == -1); do_notify_parent(leader, leader->exit_signal); + /* + * If we were the last child thread and the leader has + * exited already, and the leader's parent ignores SIGCHLD, + * then we are the one who should release the leader. + * + * do_notify_parent() will have marked it self-reaping in + * that case. + */ + zap_leader = (leader->exit_signal == -1); + } p->parent->cutime += p->utime + p->cutime; p->parent->cstime += p->stime + p->cstime; @@ -88,6 +101,10 @@ proc_pid_flush(proc_dentry); release_thread(p); put_task_struct(p); + + p = leader; + if (unlikely(zap_leader)) + goto repeat; } /* we are using it only for SMP init */ diff -Nru a/kernel/fork.c b/kernel/fork.c --- a/kernel/fork.c Tue Dec 16 20:35:41 2003 +++ b/kernel/fork.c Tue Dec 16 20:35:41 2003 @@ -125,15 +125,28 @@ EXPORT_SYMBOL(remove_wait_queue); + +/* + * Note: we use "set_current_state()" _after_ the wait-queue add, + * because we need a memory barrier there on SMP, so that any + * wake-function that tests for the wait-queue being active + * will be guaranteed to see waitqueue addition _or_ subsequent + * tests in this thread will see the wakeup having taken place. + * + * The spin_unlock() itself is semi-permeable and only protects + * one way (it only protects stuff inside the critical region and + * stops them from bleeding out - it would still allow subsequent + * loads to move into the the critical region). + */ void prepare_to_wait(wait_queue_head_t *q, wait_queue_t *wait, int state) { unsigned long flags; - __set_current_state(state); wait->flags &= ~WQ_FLAG_EXCLUSIVE; spin_lock_irqsave(&q->lock, flags); if (list_empty(&wait->task_list)) __add_wait_queue(q, wait); + set_current_state(state); spin_unlock_irqrestore(&q->lock, flags); } @@ -144,11 +157,11 @@ { unsigned long flags; - __set_current_state(state); wait->flags |= WQ_FLAG_EXCLUSIVE; spin_lock_irqsave(&q->lock, flags); if (list_empty(&wait->task_list)) __add_wait_queue_tail(q, wait); + set_current_state(state); spin_unlock_irqrestore(&q->lock, flags); } @@ -159,7 +172,20 @@ unsigned long flags; __set_current_state(TASK_RUNNING); - if (!list_empty(&wait->task_list)) { + /* + * We can check for list emptiness outside the lock + * IFF: + * - we use the "careful" check that verifies both + * the next and prev pointers, so that there cannot + * be any half-pending updates in progress on other + * CPU's that we haven't seen yet (and that might + * still change the stack area. + * and + * - all other users take the lock (ie we can only + * have _one_ other CPU that looks at or modifies + * the list). + */ + if (!list_empty_careful(&wait->task_list)) { spin_lock_irqsave(&q->lock, flags); list_del_init(&wait->task_list); spin_unlock_irqrestore(&q->lock, flags); diff -Nru a/kernel/sched.c b/kernel/sched.c --- a/kernel/sched.c Tue Dec 16 20:35:41 2003 +++ b/kernel/sched.c Tue Dec 16 20:35:41 2003 @@ -646,7 +646,7 @@ */ p->activated = -1; } - if (sync) + if (sync && (task_cpu(p) == smp_processor_id())) __activate_task(p, rq); else { activate_task(p, rq); diff -Nru a/lib/kobject.c b/lib/kobject.c --- a/lib/kobject.c Tue Dec 16 20:35:41 2003 +++ b/lib/kobject.c Tue Dec 16 20:35:41 2003 @@ -236,8 +236,6 @@ list_del_init(&kobj->entry); up_write(&kobj->kset->subsys->rwsem); } - if (kobj->parent) - kobject_put(kobj->parent); kobject_put(kobj); } @@ -274,9 +272,11 @@ kobj->parent = parent; error = create_dir(kobj); - if (error) + if (error) { unlink(kobj); - else { + if (parent) + kobject_put(parent); + } else { /* If this kobj does not belong to a kset, try to find a parent that does. */ top_kobj = kobj; @@ -452,6 +452,7 @@ { struct kobj_type * t = get_ktype(kobj); struct kset * s = kobj->kset; + struct kobject * parent = kobj->parent; pr_debug("kobject %s: cleaning up\n",kobject_name(kobj)); if (kobj->k_name != kobj->name) @@ -461,6 +462,8 @@ t->release(kobj); if (s) kset_put(s); + if (parent) + kobject_put(parent); } /** diff -Nru a/mm/mmap.c b/mm/mmap.c --- a/mm/mmap.c Tue Dec 16 20:35:41 2003 +++ b/mm/mmap.c Tue Dec 16 20:35:41 2003 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -474,8 +475,13 @@ struct rb_node ** rb_link, * rb_parent; unsigned long charged = 0; - if (file && (!file->f_op || !file->f_op->mmap)) - return -ENODEV; + if (file) { + if (!file->f_op || !file->f_op->mmap) + return -ENODEV; + + if ((prot & PROT_EXEC) && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)) + return -EPERM; + } if (!len) return addr; diff -Nru a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c --- a/net/bridge/br_netfilter.c Tue Dec 16 20:35:41 2003 +++ b/net/bridge/br_netfilter.c Tue Dec 16 20:35:41 2003 @@ -180,7 +180,7 @@ struct rtable *rt; struct flowi fl = { .nl_u = { .ip4_u = { .daddr = iph->daddr, .saddr = 0 , - .tos = iph->tos} }, .proto = 0}; + .tos = RT_TOS(iph->tos)} }, .proto = 0}; if (!ip_route_output_key(&rt, &fl)) { /* Bridged-and-DNAT'ed traffic doesn't diff -Nru a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Tue Dec 16 20:35:41 2003 +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Tue Dec 16 20:35:41 2003 @@ -53,7 +53,7 @@ unsigned long ip_ct_tcp_timeout_syn_recv = 60 SECS; unsigned long ip_ct_tcp_timeout_established = 5 DAYS; unsigned long ip_ct_tcp_timeout_fin_wait = 2 MINS; -unsigned long ip_ct_tcp_timeout_close_wait = 3 DAYS; +unsigned long ip_ct_tcp_timeout_close_wait = 60 SECS; unsigned long ip_ct_tcp_timeout_last_ack = 30 SECS; unsigned long ip_ct_tcp_timeout_time_wait = 2 MINS; unsigned long ip_ct_tcp_timeout_close = 10 SECS; diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c --- a/net/ipv4/netfilter/ip_conntrack_standalone.c Tue Dec 16 20:35:41 2003 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c Tue Dec 16 20:35:41 2003 @@ -201,7 +201,8 @@ /* Local packets are never produced too large for their interface. We degfragment them at LOCAL_OUT, however, so we have to refragment them here. */ - if ((*pskb)->len > dst_pmtu(&rt->u.dst)) { + if ((*pskb)->len > dst_pmtu(&rt->u.dst) && + !skb_shinfo(*pskb)->tso_size) { /* No hook can be after us, so this should be OK. */ ip_fragment(*pskb, okfn); return NF_STOLEN; diff -Nru a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c --- a/net/ipv4/tcp_ipv4.c Tue Dec 16 20:35:41 2003 +++ b/net/ipv4/tcp_ipv4.c Tue Dec 16 20:35:41 2003 @@ -2356,6 +2356,7 @@ static void *tcp_seq_start(struct seq_file *seq, loff_t *pos) { struct tcp_iter_state* st = seq->private; + st->state = TCP_SEQ_STATE_LISTENING; st->num = 0; return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; } diff -Nru a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c --- a/net/ipv6/tcp_ipv6.c Tue Dec 16 20:35:41 2003 +++ b/net/ipv6/tcp_ipv6.c Tue Dec 16 20:35:41 2003 @@ -222,7 +222,7 @@ write_lock(lock); } - sk_add_node(sk, list); + __sk_add_node(sk, list); sock_prot_inc_use(sk->sk_prot); write_unlock(lock); } diff -Nru a/net/ipv6/udp.c b/net/ipv6/udp.c --- a/net/ipv6/udp.c Tue Dec 16 20:35:41 2003 +++ b/net/ipv6/udp.c Tue Dec 16 20:35:41 2003 @@ -825,7 +825,7 @@ struct sockaddr_in sin; sin.sin_family = AF_INET; sin.sin_port = sin6 ? sin6->sin6_port : inet->dport; - sin.sin_addr.s_addr = daddr->s6_addr[3]; + sin.sin_addr.s_addr = daddr->s6_addr32[3]; msg->msg_name = &sin; msg->msg_namelen = sizeof(sin); do_udp_sendmsg: diff -Nru a/net/sched/sch_htb.c b/net/sched/sch_htb.c --- a/net/sched/sch_htb.c Tue Dec 16 20:35:41 2003 +++ b/net/sched/sch_htb.c Tue Dec 16 20:35:41 2003 @@ -74,7 +74,7 @@ #define HTB_HYSTERESIS 1/* whether to use mode hysteresis for speedup */ #define HTB_QLOCK(S) spin_lock_bh(&(S)->dev->queue_lock) #define HTB_QUNLOCK(S) spin_unlock_bh(&(S)->dev->queue_lock) -#define HTB_VER 0x3000d /* major must be matched with number suplied by TC as version */ +#define HTB_VER 0x3000e /* major must be matched with number suplied by TC as version */ #if HTB_VER >> 16 != TC_HTB_PROTOVER #error "Mismatched sch_htb.c and pkt_sch.h" @@ -290,6 +290,11 @@ * then finish and return direct queue. */ #define HTB_DIRECT (struct htb_class*)-1 +static inline u32 htb_classid(struct htb_class *cl) +{ + return (cl && cl != HTB_DIRECT) ? cl->classid : TC_H_UNSPEC; +} + static struct htb_class *htb_classify(struct sk_buff *skb, struct Qdisc *sch) { struct htb_sched *q = (struct htb_sched *)sch->data; @@ -703,7 +708,7 @@ sch->q.qlen++; sch->stats.packets++; sch->stats.bytes += skb->len; - HTB_DBG(1,1,"htb_enq_ok cl=%X skb=%p\n",cl?cl->classid:0,skb); + HTB_DBG(1,1,"htb_enq_ok cl=%X skb=%p\n",htb_classid(cl),skb); return NET_XMIT_SUCCESS; } @@ -731,7 +736,7 @@ htb_activate (q,cl); sch->q.qlen++; - HTB_DBG(1,1,"htb_req_ok cl=%X skb=%p\n",cl?cl->classid:0,skb); + HTB_DBG(1,1,"htb_req_ok cl=%X skb=%p\n",htb_classid(cl),skb); return NET_XMIT_SUCCESS; } @@ -1381,11 +1386,16 @@ #ifdef HTB_RATECM del_timer_sync (&q->rttim); #endif + /* This line used to be after htb_destroy_class call below + and surprisingly it worked in 2.4. But it must precede it + because filter need its target class alive to be able to call + unbind_filter on it (without Oops). */ + htb_destroy_filters(&q->filter_list); + while (!list_empty(&q->root)) htb_destroy_class (sch,list_entry(q->root.next, struct htb_class,sibling)); - htb_destroy_filters(&q->filter_list); __skb_queue_purge(&q->direct_queue); } diff -Nru a/scripts/file2alias.c b/scripts/file2alias.c --- a/scripts/file2alias.c Tue Dec 16 20:35:41 2003 +++ b/scripts/file2alias.c Tue Dec 16 20:35:41 2003 @@ -52,6 +52,13 @@ id->bcdDevice_lo = TO_NATIVE(id->bcdDevice_lo); id->bcdDevice_hi = TO_NATIVE(id->bcdDevice_hi); + /* + * Some modules (visor) have empty slots as placeholder for + * run-time specification that results in catch-all alias + */ + if (!(id->idVendor | id->bDeviceClass | id->bInterfaceClass)) + return 1; + strcpy(alias, "usb:"); ADD(alias, "v", id->match_flags&USB_DEVICE_ID_MATCH_VENDOR, id->idVendor);