--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 23 03:03:34 2006
+Date: Thu, 23 Mar 2006 02:59:24 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: kaber@trash.net, mike.miller@hp.com, stable@kernel.org
+Subject: [PATCH] cciss: fix use-after-free in cciss_init_one
+
+From: Patrick McHardy <kaber@trash.net>
+
+free_hba() sets hba[i] to NULL, the dereference afterwards results in this
+crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm
+not entirely sure, which is why I left it in.
+
+cciss: controller appears to be disabled
+Unable to handle kernel NULL pointer dereference at virtual address 00000370
+ printing eip:
+c1114d53
+*pde = 00000000
+Oops: 0002 [#1]
+Modules linked in:
+CPU: 0
+EIP: 0060:[<c1114d53>] Not tainted VLI
+EFLAGS: 00010286 (2.6.16 #1)
+EIP is at cciss_init_one+0x4e9/0x4fe
+eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00
+esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8
+ds: 007b es: 007b ss: 0068
+Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30)
+Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38
+f7c74740
+ c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04
+c10c1d85
+ c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000
+c2536f28
+Call Trace:
+ [<c10031d5>] show_stack_log_lvl+0xa8/0xb0
+ [<c1003305>] show_registers+0x102/0x16a
+ [<c10034a2>] die+0xc1/0x13c
+ [<c1288160>] do_page_fault+0x38a/0x525
+ [<c1002e9b>] error_code+0x4f/0x54
+ [<c10c1d51>] pci_call_probe+0xd/0x10
+ [<c10c1d85>] __pci_device_probe+0x31/0x43
+ [<c10c1db8>] pci_device_probe+0x21/0x34
+ [<c110a654>] driver_probe_device+0x44/0x99
+ [<c110a73f>] __driver_attach+0x39/0x5d
+ [<c1109e1c>] bus_for_each_dev+0x35/0x5a
+ [<c110a777>] driver_attach+0x14/0x16
+ [<c110a220>] bus_add_driver+0x5c/0x8f
+ [<c110ab22>] driver_register+0x73/0x78
+ [<c10c1f6d>] __pci_register_driver+0x5f/0x71
+ [<c13bf935>] cciss_init+0x1a/0x1c
+ [<c13aa718>] do_initcalls+0x4c/0x96
+ [<c13aa77e>] do_basic_setup+0x1c/0x1e
+ [<c10002b1>] init+0x35/0x118
+ [<c1000cf5>] kernel_thread_helper+0x5/0xb
+Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de
+40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80
+70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3
+ <0>Kernel panic - not syncing: Attempted to kill init!
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Cc: <mike.miller@hp.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/block/cciss.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.orig/drivers/block/cciss.c
++++ linux-2.6.16/drivers/block/cciss.c
+@@ -3269,8 +3269,8 @@ clean2:
+ unregister_blkdev(hba[i]->major, hba[i]->devname);
+ clean1:
+ release_io_mem(hba[i]);
+- free_hba(i);
+ hba[i]->busy_initializing = 0;
++ free_hba(i);
+ return(-1);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 00:11:39 2006
+Date: Wed, 22 Mar 2006 00:07:42 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: abhishekgupt@gmail.com, danms@us.ibm.com, stable@kernel.org, agk@redhat.com
+Subject: [PATCH] dm: bio split bvec fix
+
+From: Alasdair G Kergon <agk@redhat.com>
+
+The code that handles bios that span table target boundaries by breaking
+them up into smaller bios will not split an individual struct bio_vec into
+more than two pieces. Sometimes more than that are required.
+
+This patch adds a loop to break the second piece up into as many pieces as
+are necessary.
+
+Cc: "Abhishek Gupta" <abhishekgupt@gmail.com>
+Cc: Dan Smith <danms@us.ibm.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/md/dm.c | 45 +++++++++++++++++++++++++--------------------
+ 1 files changed, 25 insertions(+), 20 deletions(-)
+
+--- linux-2.6.16.orig/drivers/md/dm.c
++++ linux-2.6.16/drivers/md/dm.c
+@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone
+
+ } else {
+ /*
+- * Create two copy bios to deal with io that has
+- * been split across a target.
++ * Handle a bvec that must be split between two or more targets.
+ */
+ struct bio_vec *bv = bio->bi_io_vec + ci->idx;
++ sector_t remaining = to_sector(bv->bv_len);
++ unsigned int offset = 0;
+
+- clone = split_bvec(bio, ci->sector, ci->idx,
+- bv->bv_offset, max);
+- __map_bio(ti, clone, tio);
+-
+- ci->sector += max;
+- ci->sector_count -= max;
+- ti = dm_table_find_target(ci->map, ci->sector);
+-
+- len = to_sector(bv->bv_len) - max;
+- clone = split_bvec(bio, ci->sector, ci->idx,
+- bv->bv_offset + to_bytes(max), len);
+- tio = alloc_tio(ci->md);
+- tio->io = ci->io;
+- tio->ti = ti;
+- memset(&tio->info, 0, sizeof(tio->info));
+- __map_bio(ti, clone, tio);
++ do {
++ if (offset) {
++ ti = dm_table_find_target(ci->map, ci->sector);
++ max = max_io_len(ci->md, ci->sector, ti);
++
++ tio = alloc_tio(ci->md);
++ tio->io = ci->io;
++ tio->ti = ti;
++ memset(&tio->info, 0, sizeof(tio->info));
++ }
++
++ len = min(remaining, max);
++
++ clone = split_bvec(bio, ci->sector, ci->idx,
++ bv->bv_offset + offset, len);
++
++ __map_bio(ti, clone, tio);
++
++ ci->sector += len;
++ ci->sector_count -= len;
++ offset += to_bytes(len);
++ } while (remaining -= len);
+
+- ci->sector += len;
+- ci->sector_count -= len;
+ ci->idx++;
+ }
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 23 03:03:30 2006
+Date: Thu, 23 Mar 2006 02:59:22 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: neilb@suse.de, stable@kernel.org
+Subject: [PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang.
+
+From: NeilBrown <neilb@suse.de>
+
+Both R1BIO_Barrier and R1BIO_Returned are 4 !!!!
+
+This means that barrier requests don't get returned (i.e. b_endio called)
+because it looks like they already have been.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/linux/raid/raid1.h | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.orig/include/linux/raid/raid1.h
++++ linux-2.6.16/include/linux/raid/raid1.h
+@@ -130,6 +130,6 @@ struct r1bio_s {
+ * with failure when last write completes (and all failed).
+ * Record that bi_end_io was called with this flag...
+ */
+-#define R1BIO_Returned 4
++#define R1BIO_Returned 6
+
+ #endif
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 23 03:03:38 2006
+Date: Thu, 23 Mar 2006 02:59:20 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: mingo@elte.hu, anton@samba.org, stable@kernel.org
+Subject: [PATCH] fix scheduler deadlock
+
+From: Anton Blanchard <anton@samba.org>
+
+We have noticed lockups during boot when stress testing kexec on ppc64.
+Two cpus would deadlock in scheduler code trying to grab already taken
+spinlocks.
+
+The double_rq_lock code uses the address of the runqueue to order the
+taking of multiple locks. This address is a per cpu variable:
+
+ if (rq1 < rq2) {
+ spin_lock(&rq1->lock);
+ spin_lock(&rq2->lock);
+ } else {
+ spin_lock(&rq2->lock);
+ spin_lock(&rq1->lock);
+ }
+
+On the other hand, the code in wake_sleeping_dependent uses the cpu id
+order to grab locks:
+
+ for_each_cpu_mask(i, sibling_map)
+ spin_lock(&cpu_rq(i)->lock);
+
+This means we rely on the address of per cpu data increasing as cpu ids
+increase. While this will be true for the generic percpu implementation it
+may not be true for arch specific implementations.
+
+One way to solve this is to always take runqueues in cpu id order. To do
+this we add a cpu variable to the runqueue and check it in the
+double runqueue locking functions.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ kernel/sched.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.orig/kernel/sched.c
++++ linux-2.6.16/kernel/sched.c
+@@ -237,6 +237,7 @@ struct runqueue {
+
+ task_t *migration_thread;
+ struct list_head migration_queue;
++ int cpu;
+ #endif
+
+ #ifdef CONFIG_SCHEDSTATS
+@@ -1660,6 +1661,9 @@ unsigned long nr_iowait(void)
+ /*
+ * double_rq_lock - safely lock two runqueues
+ *
++ * We must take them in cpu order to match code in
++ * dependent_sleeper and wake_dependent_sleeper.
++ *
+ * Note this does not disable interrupts like task_rq_lock,
+ * you need to do so manually before calling.
+ */
+@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r
+ spin_lock(&rq1->lock);
+ __acquire(rq2->lock); /* Fake it out ;) */
+ } else {
+- if (rq1 < rq2) {
++ if (rq1->cpu < rq2->cpu) {
+ spin_lock(&rq1->lock);
+ spin_lock(&rq2->lock);
+ } else {
+@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue
+ __acquires(this_rq->lock)
+ {
+ if (unlikely(!spin_trylock(&busiest->lock))) {
+- if (busiest < this_rq) {
++ if (busiest->cpu < this_rq->cpu) {
+ spin_unlock(&this_rq->lock);
+ spin_lock(&busiest->lock);
+ spin_lock(&this_rq->lock);
+@@ -6035,6 +6039,7 @@ void __init sched_init(void)
+ rq->push_cpu = 0;
+ rq->migration_thread = NULL;
+ INIT_LIST_HEAD(&rq->migration_queue);
++ rq->cpu = i;
+ #endif
+ atomic_set(&rq->nr_iowait, 0);
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 00:11:36 2006
+Date: Wed, 22 Mar 2006 00:07:36 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: adaplas@pol.net, stable@kernel.org
+Subject: [PATCH] i810fb_cursor(): use GFP_ATOMIC
+
+From: "Antonino A. Daplas" <adaplas@pol.net>
+
+The console cursor can be called in atomic context. Change memory
+allocation to use the GFP_ATOMIC flag in i810fb_cursor().
+
+Signed-off-by: Antonino Daplas <adaplas@pol.net>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ drivers/video/i810/i810_main.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.orig/drivers/video/i810/i810_main.c
++++ linux-2.6.16/drivers/video/i810/i810_main.c
+@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info
+ int size = ((cursor->image.width + 7) >> 3) *
+ cursor->image.height;
+ int i;
+- u8 *data = kmalloc(64 * 8, GFP_KERNEL);
++ u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
+
+ if (data == NULL)
+ return -ENOMEM;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 23 03:03:28 2006
+Date: Thu, 23 Mar 2006 02:59:19 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: stable@kernel.org, nhorman@tuxdriver.com
+Subject: [PATCH] proc: fix duplicate line in /proc/devices
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+Fix a duplicate block device line printed after the "Block device" header
+in /proc/devices.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/proc/proc_misc.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.orig/fs/proc/proc_misc.c
++++ linux-2.6.16/fs/proc/proc_misc.c
+@@ -312,7 +312,7 @@ static void *devinfo_next(struct seq_fil
+ case BLK_HDR:
+ info->state = BLK_LIST;
+ (*pos)++;
+- break;
++ /*fallthrough*/
+ case BLK_LIST:
+ if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) {
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 00:11:37 2006
+Date: Wed, 22 Mar 2006 00:07:43 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: stable@kernel.org, joe.korty@ccur.com
+Subject: [PATCH] rtc.h broke strace(1) builds
+
+From: Joe Korty <joe.korty@ccur.com>
+
+Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e
+
+ [PATCH] move rtc_interrupt() prototype to rtc.h
+
+broke strace(1) builds. The below moves the kernel-only additions lower,
+under the already provided #ifdef __KERNEL__ statement.
+
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ include/linux/rtc.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.orig/include/linux/rtc.h
++++ linux-2.6.16/include/linux/rtc.h
+@@ -11,8 +11,6 @@
+ #ifndef _LINUX_RTC_H_
+ #define _LINUX_RTC_H_
+
+-#include <linux/interrupt.h>
+-
+ /*
+ * The struct used to pass data via the following ioctl. Similar to the
+ * struct tm in <time.h>, but it needs to be here so that the kernel
+@@ -95,6 +93,8 @@ struct rtc_pll_info {
+
+ #ifdef __KERNEL__
+
++#include <linux/interrupt.h>
++
+ typedef struct rtc_task {
+ void (*func)(void *private_data);
+ void *private_data;
tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
xfs-writeout-fix.patch
net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch
+i810fb_cursor-use-gfp_atomic.patch
+v9fs-assign-dentry-ops-to-negative-dentries.patch
+dm-bio-split-bvec-fix.patch
+rtc.h-broke-strace-builds.patch
+proc-fix-duplicate-line-in-proc-devices.patch
+fix-scheduler-deadlock.patch
+dm-fix-bug-bio_rw_barrier-requests-to-md-raid1-hang.patch
+cciss-fix-use-after-free-in-cciss_init_one.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 00:11:36 2006
+Date: Wed, 22 Mar 2006 00:07:37 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: lucho@ionkov.net, ericvh@gmail.com, stable@kernel.org
+Subject: [PATCH] v9fs: assign dentry ops to negative dentries
+
+From: Latchesar Ionkov <lucho@ionkov.net>
+
+If a file is not found in v9fs_vfs_lookup, the function creates negative
+dentry, but doesn't assign any dentry ops. This leaves the negative entry
+in the cache (there is no d_delete to mark it for removal). If the file is
+created outside of the mounted v9fs filesystem, the file shows up in the
+directory with weird permissions.
+
+This patch assigns the default v9fs dentry ops to the negative dentry.
+
+Signed-off-by: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ fs/9p/vfs_inode.c | 3 +--
+ 1 files changed, 1 insertion(+), 2 deletions(-)
+
+--- linux-2.6.16.orig/fs/9p/vfs_inode.c
++++ linux-2.6.16/fs/9p/vfs_inode.c
+@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st
+
+ sb = dir->i_sb;
+ v9ses = v9fs_inode2v9ses(dir);
++ dentry->d_op = &v9fs_dentry_operations;
+ dirfid = v9fs_fid_lookup(dentry->d_parent);
+
+ if (!dirfid) {
+@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st
+ goto FreeFcall;
+
+ fid->qid = fcall->params.rstat.stat.qid;
+-
+- dentry->d_op = &v9fs_dentry_operations;
+ v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb);
+
+ d_add(dentry, inode);
projects / thirdparty / kernel / stable-queue.git / commitdiff
