This is the code to load packet data into a register:

                        k = fentry->k;
                        if (k < 0) {
...
                        } else {
                                u32 _tmp, *p;
                                p = skb_header_pointer(skb, k, 4, &_tmp);
                                if (p != NULL) {
                                        A = ntohl(*p);
                                        continue;
                                }
                        }

skb_header_pointer checks if the requested data is within the
linear area:

        int hlen = skb_headlen(skb);

        if (offset + len <= hlen)
                return skb->data + offset;

When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.

I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.

This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.

Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Add __attribute__((packed)) to ensure that the stat64 structure is
correctly laid out no matter which ABI the kernel is compiled for.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

These didn't match my sed expression correctly, fix them up manually.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Initialise the spinlock for port being used by the console early, but
don't re-initialise it again later.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Patch from Catalin Marinas

The range for the ARMv6 block cache operations is inclusive but the
kernel doesn't re-calculate the end address, causing a page fault when
used (this only happens with support for cache aliasing, otherwise the
blk_flush_kern_dcache_page() is not called). This patch subtracts
L1_CACHE_BYTES from the end address.
Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Patch from Ben Dooks

The request_irq() function is called by s3c24xx uart driver with
the local IRQs disabled. The request_irq() function can allocate
memory via kmalloc(), and this may sleep causing a warning about
sleeping in an invalid context.
Signed-off-by: NBen Dooks <ben-linux@fluff.org>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Remove the pointless machine description macros, favouring C99
initialisers instead.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

This patch kills the dead CONFIG_BLK_DEV_IDE_TCQ entry.
Signed-off-by: NAdrian Bunk <bunk@stusta.de>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Rob Punkunus <rpunkunus@nvidia.com>

Rob Punkunus recently submitted a patch to enable support for MCP51/MCP55 in
the amd74xx driver. This patch was whitespace-corrupted and didn't apply to
2.6.12 since MCP51 support was merged in the 2.6.12-rc series.

Gentoo would like to support this hardware for our upcoming release media, so
I fixed the patch, and here it is :)
Signed-off-by: NDaniel Drake <dsd@gentoo.org>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Denis Vlasenko <vda@ilport.com.ua>

* printk("\n") is misplaced, resulting in stray empty line in kernel log
* cleanups nerby: some back-to-back printks are combined, etc
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.
Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

From: Herbert Xu <herbert@gondor.apana.org.au>

mark the __init section __devinit.
Splitted up from the Debian kernel patch.

see the thread about the pci hotplug crash on a stratus box.
http://marc.theaimsgroup.com/?l=linux-kernel&m=111930108613386&w=2Signed-off-by: Nmaximilian attems <janitor@sternwelten.at>
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@elka.pw.edu.pl>

That zero just means that nothing else found any irq information either.

This fixes the bug that caused BUG_ON(!irqs_disabled()) to trigger in
run_posix_cpu_timers() on alpha/smp.  We didn't disable interrupts
properly before calling smp_percpu_timer_interrupt().

We *do* disable interrupts everywhere except this unfortunate
smp_percpu_timer_interrupt().  Fixed thus.
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

This patch contains the following possible cleanups:
- make some needlessly global code static
- remove the unneeded global function DBG_REG
Signed-off-by: NAdrian Bunk <bunk@stusta.de>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Wait 0.5 seconds before scanning for cards after an insertion interrupt.
The electrical connection needs this time to stabilise for some cards.
Signed-off-by: NPierre Ossman <drzeus@drzeus.cx>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Use msleep() instead of schedule_timeout() to guarantee the task
delays as expected. Neither signals nor wait-queue events are
important at this point in the code, I believe.
Signed-off-by: NNishanth Aravamudan <nacc@us.ibm.com>
Signed-off-by: NDomen Puncer <domen@coderock.org>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Use do_div() instead.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Make the magic address values in head.S more obvious as to where
they came from.  Wrap all debug code in CONFIG_DEBUG_LL.
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Patch from Ben Dooks

The omnimeter_defconfig does not define any machines and
seems to have no other support in the current kernel.
This patch removes the config file, as this is the only
thing currently mentioning the ominmeter.
Signed-off-by: NBen Dooks <ben-linux@fluff.org>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Patch from Todd Poynor

Add definition of K0DB4 SDCLK<0,3> divide-by-4 control/status bit in the
MDREFR register for Intel XScale PXA27x.
Signed-off-by: NTodd Poynor <tpoynor@mvista.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Patch from Todd Poynor

Add support for PXA27x Standby mode, a low-power mode that retains CPU
and some peripheral state (the existing "sleep" mode is a power-power
mode that retains less state). Activated via:
echo -n standby > /sys/power/state
From: David Burrage and Todd Poynor
Signed-off-by: NTodd Poynor <tpoynor@mvista.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

Fixup for the recent slab leak fix

Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>

As usual, the reason of this breakage is quite silly: in do_entIF, we
are checking for PS == 0 to see whether it was a kernel BUG() or
userspace trap.

It works, unless BUG() happens in interrupt - PS is not 0 in kernel mode
due to non-zero IPL, and the things get messed up horribly then.  In
this particular case it was BUG_ON(!irqs_disabled()) triggered in
run_posix_cpu_timers(), so we ended up shooting "current" with the
bursts of one SIGTRAP and three SIGILLs on every timer tick.  ;-)