--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 1 16:06:43 2007
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+Date: Thu, 01 Mar 2007 19:05:16 -0500
+Subject: forcedeth: disable msix
+To: linux-stable <stable@kernel.org>
+Message-ID: <45E76A3C.1070907@redhat.com>
+
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+
+forcedeth: disable msix
+
+There seems to be an issue when both MSI-X is enabled and NAPI is
+configured. This patch disables MSI-X until the issue is root caused.
+
+Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/forcedeth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/drivers/net/forcedeth.c
++++ linux-2.6.20.1/drivers/net/forcedeth.c
+@@ -825,7 +825,7 @@ enum {
+ NV_MSIX_INT_DISABLED,
+ NV_MSIX_INT_ENABLED
+ };
+-static int msix = NV_MSIX_INT_ENABLED;
++static int msix = NV_MSIX_INT_DISABLED;
+
+ /*
+ * DMA 64bit
--- /dev/null
+From: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+Date: Wed Jan 17 21:18:35 2007 -0600
+Subject: JFS: call io_schedule() instead of schedule() to avoid deadlock
+
+From: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+
+JFS: call io_schedule() instead of schedule() to avoid deadlock
+
+The introduction of Jens Axboe's explicit i/o plugging patches introduced a
+deadlock in jfs. This was caused by the process initiating I/O not
+unplugging the queue before waiting on the commit thread. The commit
+thread itself was waiting for that I/O to complete. Calling io_schedule()
+rather than schedule() unplugs the I/O queue avoiding the deadlock, and it
+appears to be the right function to call in any case.
+
+Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/jfs/jfs_lock.h | 2 +-
+ fs/jfs/jfs_metapage.c | 2 +-
+ fs/jfs/jfs_txnmgr.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/fs/jfs/jfs_lock.h
++++ linux-2.6.20.1/fs/jfs/jfs_lock.h
+@@ -42,7 +42,7 @@ do { \
+ if (cond) \
+ break; \
+ unlock_cmd; \
+- schedule(); \
++ io_schedule(); \
+ lock_cmd; \
+ } \
+ current->state = TASK_RUNNING; \
+--- linux-2.6.20.1.orig/fs/jfs/jfs_metapage.c
++++ linux-2.6.20.1/fs/jfs/jfs_metapage.c
+@@ -56,7 +56,7 @@ static inline void __lock_metapage(struc
+ set_current_state(TASK_UNINTERRUPTIBLE);
+ if (metapage_locked(mp)) {
+ unlock_page(mp->page);
+- schedule();
++ io_schedule();
+ lock_page(mp->page);
+ }
+ } while (trylock_metapage(mp));
+--- linux-2.6.20.1.orig/fs/jfs/jfs_txnmgr.c
++++ linux-2.6.20.1/fs/jfs/jfs_txnmgr.c
+@@ -135,7 +135,7 @@ static inline void TXN_SLEEP_DROP_LOCK(w
+ add_wait_queue(event, &wait);
+ set_current_state(TASK_UNINTERRUPTIBLE);
+ TXN_UNLOCK();
+- schedule();
++ io_schedule();
+ current->state = TASK_RUNNING;
+ remove_wait_queue(event, &wait);
+ }
--- /dev/null
+From: Neil Brown <neilb@suse.de>
+Subject: export blk_recount_segments
+
+On Monday February 12, marcm@liquid-nexus.net wrote:
+> >
+> > Thanks for the quick response Neil unfortunately the kernel doesn't build with
+> > this patch due to a missing symbol:
+> >
+> > WARNING: "blk_recount_segments" [drivers/md/raid456.ko] undefined!
+> >
+> > Is that in another file that needs patching or within raid5.c?
+
+Yes. I keep forgetting about that bit. Sorry.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/ll_rw_blk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/block/ll_rw_blk.c
++++ linux-2.6.20.1/block/ll_rw_blk.c
+@@ -1264,7 +1264,7 @@ new_hw_segment:
+ bio->bi_hw_segments = nr_hw_segs;
+ bio->bi_flags |= (1 << BIO_SEG_VALID);
+ }
+-
++EXPORT_SYMBOL(blk_recount_segments);
+
+ static int blk_phys_contig_segment(request_queue_t *q, struct bio *bio,
+ struct bio *nxt)
--- /dev/null
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Subject: Eliminate possible NULL pointer dereference in nfulnl_recv_config().
+
+Eliminate possible NULL pointer dereference in nfulnl_recv_config().
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c
++++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c
+@@ -865,6 +865,9 @@ nfulnl_recv_config(struct sock *ctnl, st
+ ret = -EINVAL;
+ break;
+ }
++
++ if (!inst)
++ goto out_null;
+ } else {
+ if (!inst) {
+ UDEBUG("no config command, and no instance for "
--- /dev/null
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Subject: Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing.
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nfnetlink_log.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c
++++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c
+@@ -217,6 +217,11 @@ _instance_destroy2(struct nfulnl_instanc
+
+ spin_lock_bh(&inst->lock);
+ if (inst->skb) {
++ /* timer "holds" one reference (we have one more) */
++ if (timer_pending(&inst->timer)) {
++ del_timer(&inst->timer);
++ instance_put(inst);
++ }
+ if (inst->qlen)
+ __nfulnl_send(inst);
+ if (inst->skb) {
+@@ -363,9 +368,6 @@ __nfulnl_send(struct nfulnl_instance *in
+ {
+ int status;
+
+- if (timer_pending(&inst->timer))
+- del_timer(&inst->timer);
+-
+ if (!inst->skb)
+ return 0;
+
+@@ -392,6 +394,8 @@ static void nfulnl_timer(unsigned long d
+ UDEBUG("timer function called, flushing buffer\n");
+
+ spin_lock_bh(&inst->lock);
++ if (timer_pending(&inst->timer)) /* is it always true or false here? */
++ del_timer(&inst->timer);
+ __nfulnl_send(inst);
+ instance_put(inst);
+ spin_unlock_bh(&inst->lock);
+@@ -689,6 +693,11 @@ nfulnl_log_packet(unsigned int pf,
+ * enough room in the skb left. flush to userspace. */
+ UDEBUG("flushing old skb\n");
+
++ /* timer "holds" one reference (we have another one) */
++ if (timer_pending(&inst->timer)) {
++ del_timer(&inst->timer);
++ instance_put(inst);
++ }
+ __nfulnl_send(inst);
+
+ if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) {
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 1 16:00:18 2007
+From: Ingo Molnar <mingo@elte.hu>
+Date: Thu, 01 Mar 2007 18:58:51 -0500
+Subject: sched: fix SMT scheduler bug
+To: linux-stable <stable@kernel.org>
+Message-ID: <45E768BB.6050500@redhat.com>
+
+From: Ingo Molnar <mingo@elte.hu>
+
+[PATCH] sched: fix SMT scheduler bug
+
+The SMT scheduler incorrectly skips kernel threads even if they are
+runnable (but they are preempted by a higher-prio user-space task which got
+SMT-delayed by an even higher-priority task running on a sibling CPU).
+
+Fix this for now by only doing the SMT-nice optimization if the
+to-be-delayed task is the only runnable task. (This should cover most of
+the real-life cases anyway.)
+
+This bug has been in the SMT scheduler since 2.6.17 or so, but has only
+been noticed now by the active check in the dynticks code.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
+Cc: Nick Piggin <nickpiggin@yahoo.com.au>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ kernel/sched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/kernel/sched.c
++++ linux-2.6.20.1/kernel/sched.c
+@@ -3528,7 +3528,7 @@ need_resched_nonpreemptible:
+ }
+ }
+ next->sleep_type = SLEEP_NORMAL;
+- if (dependent_sleeper(cpu, rq, next))
++ if (rq->nr_running == 1 && dependent_sleeper(cpu, rq, next))
+ next = rq->idle;
+ switch_tasks:
+ if (next == rq->idle)
fix-tcp-md5-locking.patch
don-t-add-anycast-reference-to-device-multiple-times.patch
fix-anycast-procfs-device-leak.patch
+nfnetlink_log_refcounting_fix.patch.patch
+nfnetlink_log_null_deref_fix.patch.patch
+md_md5_6_bio_too_big_fix_fix.patch
+jfs_fix_deadlock.patch
+forcedeth-disable-msix.patch
+tty_io-fix-race-in-master-pty-close-slave-pty-close-path.patch
+sched-fix-smt-scheduler-bug.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 1 16:04:13 2007
+From: Aristeu Sergio Rozanski Filho <aristeu.sergio@gmail.com>
+Date: Thu, 01 Mar 2007 19:02:55 -0500
+Subject: tty_io: fix race in master pty close/slave pty close path
+To: linux-stable <stable@kernel.org>
+Message-ID: <45E769AF.4000608@redhat.com>
+
+From: Aristeu Sergio Rozanski Filho <aristeu.sergio@gmail.com>
+
+[PATCH] tty_io: fix race in master pty close/slave pty close path
+
+This patch fixes a possible race that leads to double freeing an idr index.
+ When the master begin to close, release_dev() is called and then
+pty_close() is called:
+
+ if (tty->driver->close)
+ tty->driver->close(tty, filp);
+
+This is done without helding any locks other than BKL. Inside pty_close(),
+being a master close, the devpts entry will be removed:
+
+#ifdef CONFIG_UNIX98_PTYS
+ if (tty->driver == ptm_driver)
+ devpts_pty_kill(tty->index);
+#endif
+
+But devpts_pty_kill() will call get_node() that may sleep while waiting for
+&devpts_root->d_inode->i_sem. When this happens and the slave is being
+opened, tty_open() just found the driver and index:
+
+ driver = get_tty_driver(device, &index);
+ if (!driver) {
+ mutex_unlock(&tty_mutex);
+ return -ENODEV;
+ }
+
+This part of the code is already protected under tty_mute. The problem is
+that the slave close already got an index. Then init_dev() is called and
+blocks waiting for the same &devpts_root->d_inode->i_sem.
+
+When the master close resumes, it removes the devpts entry, and the
+relation between idr index and the tty is gone. The master then sleeps
+waiting for the tty_mutex on release_dev().
+
+Slave open resumes and found no tty for that index. As result, a NULL tty
+is returned and init_dev() doesn't flow to fast_track:
+
+ /* check whether we're reopening an existing tty */
+ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
+ tty = devpts_get_tty(idx);
+ if (tty && driver->subtype == PTY_TYPE_MASTER)
+ tty = tty->link;
+ } else {
+ tty = driver->ttys[idx];
+ }
+ if (tty) goto fast_track;
+
+The result of this, is that a new tty will be created and init_dev() returns
+sucessfull. After returning, tty_mutex is dropped and master close may resume.
+
+Master close finds it's the only use and both sides are closing, then releases
+the tty and the index. At this point, the idr index is free, but slave still
+has it.
+
+Slave open then calls pty_open() and finds that tty->link->count is 0,
+because there's no master and returns error. Then tty_open() calls
+release_dev() which executes without any warning, as it was a case of last
+slave close when the master is already closed (master->count == 0,
+slave->count == 1). The tty is then released with the already released idr
+index.
+
+This normally would only issue a warning on idr_remove() but in case of a
+customer's critical application, it's never too simple:
+
+thread1: opens master, gets index X
+thread1: begin closing master
+thread2: begin opening slave with index X
+thread1: finishes closing master, index X released
+thread3: opens master, gets index X, just released
+thread2: fails opening slave, releases index X <----
+thread4: opens master, gets index X, init_dev() then find an already in use
+ and healthy tty and fails
+
+If no more indexes are released, ptmx_open() will keep failing, as the
+first free index available is X, and it will make init_dev() fail because
+you're trying to "reopen a master" which isn't valid.
+
+The patch notices when this race happens and make init_dev() fail
+imediately. The init_dev() function is called with tty_mutex held, so it's
+safe to continue with tty till the end of function because release_dev()
+won't make any further changes without grabbing the tty_mutex.
+
+Without the patch, on some machines it's possible get easily idr warnings
+like this one:
+
+idr_remove called for id=15 which is not allocated.
+ [<c02555b9>] idr_remove+0x139/0x170
+ [<c02a1b62>] release_mem+0x182/0x230
+ [<c02a28e7>] release_dev+0x4b7/0x700
+ [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
+ [<c02a1e64>] init_dev+0x254/0x580
+ [<c02a0d64>] check_tty_count+0x14/0xb0
+ [<c02a4f05>] tty_open+0x1c5/0x340
+ [<c02a4d40>] tty_open+0x0/0x340
+ [<c017388f>] chrdev_open+0xaf/0x180
+ [<c017c2ac>] open_namei+0x8c/0x760
+ [<c01737e0>] chrdev_open+0x0/0x180
+ [<c0167bc9>] __dentry_open+0xc9/0x210
+ [<c0167e2c>] do_filp_open+0x5c/0x70
+ [<c0167a91>] get_unused_fd+0x61/0xd0
+ [<c0167e93>] do_sys_open+0x53/0x100
+ [<c0167f97>] sys_open+0x27/0x30
+ [<c010303b>] syscall_call+0x7/0xb
+
+using this test application available on:
+ http://www.ruivo.org/~aris/pty_sodomizer.c
+
+Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/tty_io.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- linux-2.6.20.1.orig/drivers/char/tty_io.c
++++ linux-2.6.20.1/drivers/char/tty_io.c
+@@ -1891,6 +1891,20 @@ static int init_dev(struct tty_driver *d
+ /* check whether we're reopening an existing tty */
+ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
+ tty = devpts_get_tty(idx);
++ /*
++ * If we don't have a tty here on a slave open, it's because
++ * the master already started the close process and there's
++ * no relation between devpts file and tty anymore.
++ */
++ if (!tty && driver->subtype == PTY_TYPE_SLAVE) {
++ retval = -EIO;
++ goto end_init;
++ }
++ /*
++ * It's safe from now on because init_dev() is called with
++ * tty_mutex held and release_dev() won't change tty->count
++ * or tty->flags without having to grab tty_mutex
++ */
+ if (tty && driver->subtype == PTY_TYPE_MASTER)
+ tty = tty->link;
+ } else {
projects / thirdparty / kernel / stable-queue.git / commitdiff
