--- /dev/null
+From jejb@kernel.org Thu Oct 16 15:37:22 2008
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Thu, 16 Oct 2008 19:05:12 GMT
+Subject: ath9k/mac80211: disallow fragmentation in ath9k, report to userspace
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810161905.m9GJ5Cvk013905@hera.kernel.org>
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit 4233df6b748193d45f79fb7448991a473061a65d upstream
+
+As I've reported, ath9k currently fails utterly when fragmentation
+is enabled. This makes ath9k "support" hardware fragmentation by
+not supporting fragmentation at all to avoid the double-free issue.
+The patch also changes mac80211 to report errors from the driver
+operation to userspace.
+
+That hack in ath9k should be removed once the rate control algorithm
+it has is fixed, and we can at that time consider removing the hw
+fragmentation support entirely since it's not used by any driver.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath9k/main.c | 8 +++++++-
+ net/mac80211/wext.c | 2 +-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath9k/main.c
++++ b/drivers/net/wireless/ath9k/main.c
+@@ -1007,6 +1007,11 @@ static int ath9k_ampdu_action(struct iee
+ return ret;
+ }
+
++static int ath9k_no_fragmentation(struct ieee80211_hw *hw, u32 value)
++{
++ return -EOPNOTSUPP;
++}
++
+ static struct ieee80211_ops ath9k_ops = {
+ .tx = ath9k_tx,
+ .start = ath9k_start,
+@@ -1031,7 +1036,8 @@ static struct ieee80211_ops ath9k_ops =
+ .get_tsf = ath9k_get_tsf,
+ .reset_tsf = ath9k_reset_tsf,
+ .tx_last_beacon = NULL,
+- .ampdu_action = ath9k_ampdu_action
++ .ampdu_action = ath9k_ampdu_action,
++ .set_frag_threshold = ath9k_no_fragmentation,
+ };
+
+ void ath_get_beaconconfig(struct ath_softc *sc,
+--- a/net/mac80211/wext.c
++++ b/net/mac80211/wext.c
+@@ -804,7 +804,7 @@ static int ieee80211_ioctl_siwfrag(struc
+ * configure it here */
+
+ if (local->ops->set_frag_threshold)
+- local->ops->set_frag_threshold(
++ return local->ops->set_frag_threshold(
+ local_to_hw(local),
+ local->fragmentation_threshold);
+
--- /dev/null
+From jejb@kernel.org Thu Oct 16 15:33:36 2008
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+Date: Thu, 16 Oct 2008 22:05:07 GMT
+Subject: Driver core: Clarify device cleanup.
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810162205.m9GM579P005836@hera.kernel.org>
+
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+
+commit 5739411acbaa63a6c22c91e340fdcdbcc7d82a51 upstream
+
+Make the comments on how to use device_initialize(), device_add()
+and device_register() a bit clearer - in particular, explicitly
+note that put_device() must be used once we tried to add the device
+to the hierarchy.
+
+Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/core.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -523,11 +523,16 @@ static void klist_children_put(struct kl
+ * device_initialize - init device structure.
+ * @dev: device.
+ *
+- * This prepares the device for use by other layers,
+- * including adding it to the device hierarchy.
++ * This prepares the device for use by other layers by initializing
++ * its fields.
+ * It is the first half of device_register(), if called by
+- * that, though it can also be called separately, so one
+- * may use @dev's fields (e.g. the refcount).
++ * that function, though it can also be called separately, so one
++ * may use @dev's fields. In particular, get_device()/put_device()
++ * may be used for reference counting of @dev after calling this
++ * function.
++ *
++ * NOTE: Use put_device() to give up your reference instead of freeing
++ * @dev directly once you have called this function.
+ */
+ void device_initialize(struct device *dev)
+ {
+@@ -836,9 +841,13 @@ static void device_remove_sys_dev_entry(
+ * This is part 2 of device_register(), though may be called
+ * separately _iff_ device_initialize() has been called separately.
+ *
+- * This adds it to the kobject hierarchy via kobject_add(), adds it
++ * This adds @dev to the kobject hierarchy via kobject_add(), adds it
+ * to the global and sibling lists for the device, then
+ * adds it to the other relevant subsystems of the driver model.
++ *
++ * NOTE: _Never_ directly free @dev after calling this function, even
++ * if it returned an error! Always use put_device() to give up your
++ * reference instead.
+ */
+ int device_add(struct device *dev)
+ {
+@@ -965,6 +974,10 @@ done:
+ * I.e. you should only call the two helpers separately if
+ * have a clearly defined need to use and refcount the device
+ * before it is added to the hierarchy.
++ *
++ * NOTE: _Never_ directly free @dev after calling this function, even
++ * if it returned an error! Always use put_device() to give up the
++ * reference initialized in this function instead.
+ */
+ int device_register(struct device *dev)
+ {
--- /dev/null
+From jejb@kernel.org Thu Oct 16 15:33:09 2008
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+Date: Thu, 16 Oct 2008 22:05:05 GMT
+Subject: Driver core: Fix cleanup in device_create_vargs().
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810162205.m9GM55pF005776@hera.kernel.org>
+
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+
+commit 286661b3777897220ecfcd774bccc68a34667f39 upstream
+
+If device_register() in device_create_vargs() fails, the device
+must be cleaned up with put_device() (which is also fine on NULL)
+instead of kfree().
+
+Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1243,7 +1243,7 @@ struct device *device_create_vargs(struc
+ return dev;
+
+ error:
+- kfree(dev);
++ put_device(dev);
+ return ERR_PTR(retval);
+ }
+ EXPORT_SYMBOL_GPL(device_create_vargs);
--- /dev/null
+From jejb@kernel.org Thu Oct 16 14:54:47 2008
+From: Oleg Nesterov <oleg@tv-sign.ru>
+Date: Thu, 16 Oct 2008 19:05:07 GMT
+Subject: fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810161905.m9GJ57Ki013495@hera.kernel.org>
+
+From: Oleg Nesterov <oleg@tv-sign.ru>
+
+commit 232fb69a53a5ec3f22a8104d447abe4806848a8f upstream
+
+echo 3 >> /sys/class/graphics/fbcon/rotate_all, then switch to another
+console. Result:
+
+ BUG: unable to handle kernel paging request at ffffc20005d00000
+ IP: [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109
+ PGD 7e228067 PUD 7e229067 PMD 7bc1f067 PTE 0
+ Oops: 0002 [1] SMP
+ CPU 1
+ Modules linked in: [...a lot...]
+ Pid: 10, comm: events/1 Not tainted 2.6.26.5-45.fc9.x86_64 #1
+ RIP: 0010:[bitfill_aligned+149/265] [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109
+ RSP: 0018:ffff81007d811bc8 EFLAGS: 00010216
+ RAX: ffffc20005d00000 RBX: 0000000000000000 RCX: 0000000000000400
+ RDX: 0000000000000000 RSI: ffffc20005d00000 RDI: ffffffffffffffff
+ RBP: ffff81007d811be0 R08: 0000000000000400 R09: 0000000000000040
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000010000
+ R13: ffffffff811632f0 R14: 0000000000000006 R15: ffff81007cb85400
+ FS: 0000000000000000(0000) GS:ffff81007e004780(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
+ CR2: ffffc20005d00000 CR3: 0000000000201000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process events/1 (pid: 10, threadinfo ffff81007d810000, task ffff81007d808000)
+ Stack: ffff81007c9d75a0 0000000000000000 0000000000000000 ffff81007d811c80
+ ffffffff81163a61 ffff810000000000 ffffffff8115f9c8 0000001000000000
+ 0000000100aaaaaa 000000007cd0d4a0 fffffd8a00000800 0001000000000000
+ Call Trace:
+ [cfb_fillrect+523/798] cfb_fillrect+0x20b/0x31e
+ [soft_cursor+416/436] ? soft_cursor+0x1a0/0x1b4
+ [ccw_clear_margins+205/263] ccw_clear_margins+0xcd/0x107
+ [fbcon_clear_margins+59/61] fbcon_clear_margins+0x3b/0x3d
+ [fbcon_switch+1291/1466] fbcon_switch+0x50b/0x5ba
+ [redraw_screen+261/481] redraw_screen+0x105/0x1e1
+ [ccw_cursor+0/1869] ? ccw_cursor+0x0/0x74d
+ [complete_change_console+48/190] complete_change_console+0x30/0xbe
+ [change_console+115/120] change_console+0x73/0x78
+ [console_callback+0/292] ? console_callback+0x0/0x124
+ [console_callback+97/292] console_callback+0x61/0x124
+ [schedule_delayed_work+25/30] ? schedule_delayed_work+0x19/0x1e
+ [run_workqueue+139/282] run_workqueue+0x8b/0x11a
+ [worker_thread+221/238] worker_thread+0xdd/0xee
+ [autoremove_wake_function+0/56] ? autoremove_wake_function+0x0/0x38
+ [worker_thread+0/238] ? worker_thread+0x0/0xee
+ [kthread+73/118] kthread+0x49/0x76
+ [child_rip+10/18] child_rip+0xa/0x12
+ [kthread+0/118] ? kthread+0x0/0x76
+ [child_rip+0/18] ? child_rip+0x0/0x12
+
+Because fbcon_set_all_vcs()->FBCON_SWAP() uses display->rotate == 0 instead
+of fbcon_ops->rotate, and vc_resize() has no effect because it is called with
+new_cols/rows == ->vc_cols/rows.
+
+Tested on 2.6.26.5-45.fc9.x86_64, but
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git seems to
+have the same problem.
+
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/console/fbcon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/console/fbcon.c
++++ b/drivers/video/console/fbcon.c
+@@ -2996,8 +2996,8 @@ static void fbcon_set_all_vcs(struct fb_
+ p = &fb_display[vc->vc_num];
+ set_blitting_type(vc, info);
+ var_to_display(p, &info->var, info);
+- cols = FBCON_SWAP(p->rotate, info->var.xres, info->var.yres);
+- rows = FBCON_SWAP(p->rotate, info->var.yres, info->var.xres);
++ cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
++ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
+ cols /= vc->vc_font.width;
+ rows /= vc->vc_font.height;
+ vc_resize(vc, cols, rows);
--- /dev/null
+From jejb@kernel.org Thu Oct 16 15:37:50 2008
+From: James Bottomley <jejb@kernel.org>
+Date: Thu, 16 Oct 2008 19:05:16 GMT
+Subject: md: Fix rdev_size_store with size == 0
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810161905.m9GJ5GiT014058@hera.kernel.org>
+
+From: Chris Webb <chris@arachsys.com>
+
+commit 7d3c6f8717ee6c2bf6cba5fa0bda3b28fbda6015 upstream
+
+Fix rdev_size_store with size == 0.
+size == 0 means to use the largest size allowed by the
+underlying device and is used when modifying an active array.
+
+This fixes a regression introduced by
+ commit d7027458d68b2f1752a28016dcf2ffd0a7e8f567
+
+Signed-off-by: Chris Webb <chris@arachsys.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/md.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2109,8 +2109,6 @@ rdev_size_store(mdk_rdev_t *rdev, const
+
+ if (strict_strtoull(buf, 10, &size) < 0)
+ return -EINVAL;
+- if (size < my_mddev->size)
+- return -EINVAL;
+ if (my_mddev->pers && rdev->raid_disk >= 0) {
+ if (my_mddev->persistent) {
+ size = super_types[my_mddev->major_version].
+@@ -2121,9 +2119,9 @@ rdev_size_store(mdk_rdev_t *rdev, const
+ size = (rdev->bdev->bd_inode->i_size >> 10);
+ size -= rdev->data_offset/2;
+ }
+- if (size < my_mddev->size)
+- return -EINVAL; /* component must fit device */
+ }
++ if (size < my_mddev->size)
++ return -EINVAL; /* component must fit device */
+
+ rdev->size = size;
+ if (size > oldsize && my_mddev->external) {
--- /dev/null
+From jejb@kernel.org Thu Oct 16 15:31:27 2008
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Thu, 16 Oct 2008 22:05:10 GMT
+Subject: modules: fix module "notes" kobject leak
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810162205.m9GM5A4T005941@hera.kernel.org>
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit e94320939f44e0cbaccc3f259a5778abced4949c upstream
+
+Fix "notes" kobject leak
+
+It happens every rmmod if KALLSYMS=y and SYSFS=y.
+
+ # modprobe foo
+
+kobject: 'foo' (ffffffffa00743d0): kobject_add_internal: parent: 'module', set: 'module'
+kobject: 'holders' (ffff88017e7c5770): kobject_add_internal: parent: 'foo', set: '<NULL>'
+kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env
+kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo'
+kobject: 'notes' (ffff88017fa9b668): kobject_add_internal: parent: 'foo', set: '<NULL>'
+ ^^^^^
+
+ # rmmod foo
+
+kobject: 'holders' (ffff88017e7c5770): kobject_cleanup
+kobject: 'holders' (ffff88017e7c5770): auto cleanup kobject_del
+kobject: 'holders' (ffff88017e7c5770): calling ktype release
+kobject: (ffff88017e7c5770): dynamic_kobj_release
+kobject: 'holders': free name
+kobject: 'foo' (ffffffffa00743d0): kobject_cleanup
+kobject: 'foo' (ffffffffa00743d0): does not have a release() function, it is broken and must be fixed.
+kobject: 'foo' (ffffffffa00743d0): auto cleanup 'remove' event
+kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env
+kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo'
+kobject: 'foo' (ffffffffa00743d0): auto cleanup kobject_del
+kobject: 'foo': free name
+
+ [whooops]
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1173,7 +1173,7 @@ static void free_notes_attrs(struct modu
+ while (i-- > 0)
+ sysfs_remove_bin_file(notes_attrs->dir,
+ ¬es_attrs->attrs[i]);
+- kobject_del(notes_attrs->dir);
++ kobject_put(notes_attrs->dir);
+ }
+ kfree(notes_attrs);
+ }
--- /dev/null
+fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch
+modules-fix-module-notes-kobject-leak.patch
+driver-core-fix-cleanup-in-device_create_vargs.patch
+driver-core-clarify-device-cleanup.patch
+ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch
+md-fix-rdev_size_store-with-size-0.patch
+xfs-fix-remount-rw-with-unrecognized-options.patch
--- /dev/null
+From 6c5e51dae2c37127e00be392f40842e08077e96a Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sun, 12 Oct 2008 14:30:44 +0200
+Subject: xfs: fix remount rw with unrecognized options
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 6c5e51dae2c37127e00be392f40842e08077e96a upstream
+
+When we skip unrecognized options in xfs_fs_remount we should just break
+out of the switch and not return because otherwise we may skip clearing
+the xfs-internal read-only flag. This will only show up on some
+operations like touch because most read-only checks are done by the VFS
+which thinks this filesystem is r/w. Eventually we should replace the
+XFS read-only flag with a helper that always checks the VFS flag to make
+sure they can never get out of sync.
+
+Bug reported and fix verified by Marcel Beister on #xfs.
+Bug fix verified by updated xfstests/189.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Eric Sandeen <sandeen@sandeen.net>
+Signed-off-by: Timothy Shimmin <tes@sgi.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/linux-2.6/xfs_super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/linux-2.6/xfs_super.c
++++ b/fs/xfs/linux-2.6/xfs_super.c
+@@ -1323,7 +1323,7 @@ xfs_fs_remount(
+ "XFS: mount option \"%s\" not supported for remount\n", p);
+ return -EINVAL;
+ #else
+- return 0;
++ break;
+ #endif
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
