--- /dev/null
+From gregkh@mini.kroah.org Fri Jul 17 13:12:28 2009
+Message-Id: <20090717201227.992856604@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:52 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eugene Teo <eugeneteo@kernel.sg>,
+ Eric Paris <eparis@redhat.com>,
+ Wang Cong <amwang@redhat.com>
+Subject: [patch 01/24] Add -fno-delete-null-pointer-checks to gcc CFLAGS
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
+Content-Length: 1852
+Lines: 59
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Eugene Teo <eteo@redhat.com>
+
+commit a3ca86aea507904148870946d599e07a340b39bf upstream.
+
+Turning on this flag could prevent the compiler from optimising away
+some "useless" checks for null pointers. Such bugs can sometimes become
+exploitable at compile time because of the -O2 optimisation.
+
+See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html
+
+An example that clearly shows this 'problem' is commit 6bf67672.
+
+ static void __devexit agnx_pci_remove(struct pci_dev *pdev)
+ {
+ struct ieee80211_hw *dev = pci_get_drvdata(pdev);
+- struct agnx_priv *priv = dev->priv;
++ struct agnx_priv *priv;
+ AGNX_TRACE;
+
+ if (!dev)
+ return;
++ priv = dev->priv;
+
+By reverting this patch, and compile it with and without
+-fno-delete-null-pointer-checks flag, we can see that the check for dev
+is compiled away.
+
+ call printk #
+- testq %r12, %r12 # dev
+- je .L94 #,
+ movq %r12, %rdi # dev,
+
+Clearly the 'fix' is to stop using dev before it is tested, but building
+with -fno-delete-null-pointer-checks flag at least makes it harder to
+abuse.
+
+Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
+Acked-by: Eric Paris <eparis@redhat.com>
+Acked-by: Wang Cong <amwang@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -351,7 +351,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__
+
+ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ -fno-strict-aliasing -fno-common \
+- -Werror-implicit-function-declaration
++ -Werror-implicit-function-declaration \
++ -fno-delete-null-pointer-checks
+ KBUILD_AFLAGS := -D__ASSEMBLY__
+
+ # Read KERNELRELEASE from include/config/kernel.release (if it exists)
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:28 2009
+Message-Id: <20090717201228.282566328@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:53 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christoph Lameter <cl@linux-foundation.org>,
+ Eric Paris <eparis@redhat.com>,
+ James Morris <jmorris@namei.org>
+Subject: [patch 02/24] security: use mmap_min_addr indepedently of security models
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=security-use-mmap_min_addr-indepedently-of-security-models.patch
+Content-Length: 5138
+Lines: 155
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Christoph Lameter <cl@linux-foundation.org>
+
+commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream.
+
+This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
+It also sets a default mmap_min_addr of 4096.
+
+mmapping of addresses below 4096 will only be possible for processes
+with CAP_SYS_RAWIO.
+
+Signed-off-by: Christoph Lameter <cl@linux-foundation.org>
+Acked-by: Eric Paris <eparis@redhat.com>
+Looks-ok-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/mm.h | 2 --
+ include/linux/security.h | 2 ++
+ kernel/sysctl.c | 2 --
+ mm/Kconfig | 19 +++++++++++++++++++
+ mm/mmap.c | 3 +++
+ security/Kconfig | 22 +---------------------
+ security/security.c | 3 ---
+ 7 files changed, 25 insertions(+), 28 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -580,12 +580,10 @@ static inline void set_page_links(struct
+ */
+ static inline unsigned long round_hint_to_min(unsigned long hint)
+ {
+-#ifdef CONFIG_SECURITY
+ hint &= PAGE_MASK;
+ if (((void *)hint != NULL) &&
+ (hint < mmap_min_addr))
+ return PAGE_ALIGN(mmap_min_addr);
+-#endif
+ return hint;
+ }
+
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(str
+ unsigned long addr,
+ unsigned long addr_only)
+ {
++ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
++ return -EACCES;
+ return 0;
+ }
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1225,7 +1225,6 @@ static struct ctl_table vm_table[] = {
+ .strategy = &sysctl_jiffies,
+ },
+ #endif
+-#ifdef CONFIG_SECURITY
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "mmap_min_addr",
+@@ -1234,7 +1233,6 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = &proc_doulongvec_minmax,
+ },
+-#endif
+ #ifdef CONFIG_NUMA
+ {
+ .ctl_name = CTL_UNNUMBERED,
+--- a/mm/Kconfig
++++ b/mm/Kconfig
+@@ -226,6 +226,25 @@ config HAVE_MLOCKED_PAGE_BIT
+ config MMU_NOTIFIER
+ bool
+
++config DEFAULT_MMAP_MIN_ADDR
++ int "Low address space to protect from user allocation"
++ default 4096
++ help
++ This is the portion of low virtual memory which should be protected
++ from userspace allocation. Keeping a user from writing to low pages
++ can help reduce the impact of kernel NULL pointer bugs.
++
++ For most ia64, ppc64 and x86 users with lots of address space
++ a value of 65536 is reasonable and should cause no problems.
++ On arm and other archs it should not be higher than 32768.
++ Programs which use vm86 functionality would either need additional
++ permissions from either the LSM or the capabilities module or have
++ this protection disabled.
++
++ This value can be changed after boot using the
++ /proc/sys/vm/mmap_min_addr tunable.
++
++
+ config NOMMU_INITIAL_TRIM_EXCESS
+ int "Turn on mmap() excess space trimming before booting"
+ depends on !MMU
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -87,6 +87,9 @@ int sysctl_overcommit_ratio = 50; /* def
+ int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
+ struct percpu_counter vm_committed_as;
+
++/* amount of vm to protect from userspace access */
++unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
++
+ /*
+ * Check that a process has enough memory to allocate a new virtual
+ * mapping. 0 means there is enough memory for the allocation to
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -110,28 +110,8 @@ config SECURITY_ROOTPLUG
+
+ See <http://www.linuxjournal.com/article.php?sid=6279> for
+ more information about this module.
+-
+- If you are unsure how to answer this question, answer N.
+-
+-config SECURITY_DEFAULT_MMAP_MIN_ADDR
+- int "Low address space to protect from user allocation"
+- depends on SECURITY
+- default 0
+- help
+- This is the portion of low virtual memory which should be protected
+- from userspace allocation. Keeping a user from writing to low pages
+- can help reduce the impact of kernel NULL pointer bugs.
+-
+- For most ia64, ppc64 and x86 users with lots of address space
+- a value of 65536 is reasonable and should cause no problems.
+- On arm and other archs it should not be higher than 32768.
+- Programs which use vm86 functionality would either need additional
+- permissions from either the LSM or the capabilities module or have
+- this protection disabled.
+-
+- This value can be changed after boot using the
+- /proc/sys/vm/mmap_min_addr tunable.
+
++ If you are unsure how to answer this question, answer N.
+
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+--- a/security/security.c
++++ b/security/security.c
+@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
+
+ struct security_operations *security_ops; /* Initialized to NULL */
+
+-/* amount of vm to protect from userspace access */
+-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
+-
+ static inline int verify(struct security_operations *ops)
+ {
+ /* verify the security_operations structure exists */
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:29 2009
+Message-Id: <20090717201228.781324899@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:54 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Mariusz Kozlowski <m.kozlowski@tuxland.pl>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 03/24] tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897)
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=tun-tap-fix-crashes-if-open-dev-net-tun-and-then-poll-it.patch
+Content-Length: 1164
+Lines: 43
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
+
+commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream.
+
+Fix NULL pointer dereference in tun_chr_pool() introduced by commit
+33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
+packets per device") and triggered by this code:
+
+ int fd;
+ struct pollfd pfd;
+ fd = open("/dev/net/tun", O_RDWR);
+ pfd.fd = fd;
+ pfd.events = POLLIN | POLLOUT;
+ poll(&pfd, 1, 0);
+
+Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
+Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tun.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct
+ {
+ struct tun_file *tfile = file->private_data;
+ struct tun_struct *tun = __tun_get(tfile);
+- struct sock *sk = tun->sk;
++ struct sock *sk;
+ unsigned int mask = 0;
+
+ if (!tun)
+ return POLLERR;
+
++ sk = tun->sk;
++
+ DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
+
+ poll_wait(file, &tun->socket.wait, wait);
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:29 2009
+Message-Id: <20090717201229.027381107@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:55 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Julien Tinnes <jt@cr0.org>,
+ Tavis Ormandy <taviso@sdf.lonestar.org>,
+ Christoph Hellwig <hch@infradead.org>,
+ Kees Cook <kees@ubuntu.com>,
+ Eugene Teo <eugene@redhat.com>
+Subject: [patch 04/24] personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=personality-fix-per_clear_on_setid.patch
+Content-Length: 2093
+Lines: 53
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Julien Tinnes <jt@cr0.org>
+
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.
+
+We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+
+The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+
+We believe it is important to add MMAP_PAGE_ZERO, because by using this
+personality it is possible to have the first page mapped inside a
+process running as setuid root. This could be used in those scenarios:
+
+ - Exploiting a NULL pointer dereference issue in a setuid root binary
+ - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+ running a setuid binary that would drop privileges before giving us
+ control back (for instance by loading a user-supplied library), we
+ could get the first page mapped in a process we control. By further
+ using mremap and mprotect on this mapping, we can then completely
+ bypass the mmap_min_addr restrictions.
+
+Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+since on x86 32bits it will in practice disable most of the address
+space layout randomization (only the stack will remain randomized).
+
+Signed-off-by: Julien Tinnes <jt@cr0.org>
+Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
+Acked-by: Christoph Hellwig <hch@infradead.org>
+Acked-by: Kees Cook <kees@ubuntu.com>
+Acked-by: Eugene Teo <eugene@redhat.com>
+[ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/personality.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+ * Security-relevant compatibility flags that must be
+ * cleared upon setuid or setgid exec:
+ */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
++ ADDR_NO_RANDOMIZE | \
++ ADDR_COMPAT_LAYOUT | \
++ MMAP_PAGE_ZERO)
+
+ /*
+ * Personality types.
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:29 2009
+Message-Id: <20090717201229.279762270@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:56 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sonic Zhang <sonic.zhang@analog.com>,
+ Mike Frysinger <vapier@gentoo.org>
+Subject: [patch 05/24] Blackfin: fix accidental reset in some boot modes
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=blackfin-fix-accidental-reset-in-some-boot-modes.patch
+Content-Length: 1138
+Lines: 32
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Sonic Zhang <sonic.zhang@analog.com>
+
+commit 0de4adfb8c9674fa1572b0ff1371acc94b0be901 upstream.
+
+We read the SWRST (Software Reset) register to get at the last reset
+state, and then we may configure the DOUBLE_FAULT bit to control behavior
+when a double fault occurs. But if the lower bits of the register is
+already set (like UART boot mode on a BF54x), we inadvertently make the
+system reset by writing to the SYSTEM_RESET field at the same time. So
+make sure the lower 4 bits are always cleared.
+
+Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/blackfin/kernel/setup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/blackfin/kernel/setup.c
++++ b/arch/blackfin/kernel/setup.c
+@@ -831,7 +831,8 @@ void __init setup_arch(char **cmdline_p)
+ defined(CONFIG_BF538) || defined(CONFIG_BF539)
+ _bfin_swrst = bfin_read_SWRST();
+ #else
+- _bfin_swrst = bfin_read_SYSCR();
++ /* Clear boot mode field */
++ _bfin_swrst = bfin_read_SYSCR() & ~0xf;
+ #endif
+
+ #ifdef CONFIG_DEBUG_DOUBLEFAULT_PRINT
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:30 2009
+Message-Id: <20090717201229.825396140@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:57 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Mike Frysinger <vapier@gentoo.org>
+Subject: [patch 06/24] Blackfin: redo handling of bad irqs
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=blackfin-redo-handling-of-bad-irqs.patch
+Content-Length: 2885
+Lines: 113
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Mike Frysinger <vapier@gentoo.org>
+
+commit 26579216f3cdf1ae05f0af8412b444870a167510 upstream.
+
+With the common IRQ code initializing much more of the irq_desc state, we
+can't blindly initialize it ourselves to the local bad_irq state. If we
+do, we end up wrongly clobbering many fields. So punt most of the bad irq
+code as the common layers will handle the default state, and simply call
+handle_bad_irq() directly when the IRQ we are processing is invalid.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/blackfin/kernel/irqchip.c | 50 +++++++++--------------------------------
+ 1 file changed, 11 insertions(+), 39 deletions(-)
+
+--- a/arch/blackfin/kernel/irqchip.c
++++ b/arch/blackfin/kernel/irqchip.c
+@@ -38,14 +38,6 @@
+ #include <asm/pda.h>
+
+ static atomic_t irq_err_count;
+-static spinlock_t irq_controller_lock;
+-
+-/*
+- * Dummy mask/unmask handler
+- */
+-void dummy_mask_unmask_irq(unsigned int irq)
+-{
+-}
+
+ void ack_bad_irq(unsigned int irq)
+ {
+@@ -53,21 +45,9 @@ void ack_bad_irq(unsigned int irq)
+ printk(KERN_ERR "IRQ: spurious interrupt %d\n", irq);
+ }
+
+-static struct irq_chip bad_chip = {
+- .ack = dummy_mask_unmask_irq,
+- .mask = dummy_mask_unmask_irq,
+- .unmask = dummy_mask_unmask_irq,
+-};
+-
+ static struct irq_desc bad_irq_desc = {
+- .status = IRQ_DISABLED,
+- .chip = &bad_chip,
+ .handle_irq = handle_bad_irq,
+- .depth = 1,
+ .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
+-#ifdef CONFIG_SMP
+- .affinity = CPU_MASK_ALL
+-#endif
+ };
+
+ #ifdef CONFIG_CPUMASK_OFFSTACK
+@@ -117,21 +97,13 @@ __attribute__((l1_text))
+ #endif
+ asmlinkage void asm_do_IRQ(unsigned int irq, struct pt_regs *regs)
+ {
+- struct pt_regs *old_regs;
+- struct irq_desc *desc = irq_desc + irq;
+ #ifndef CONFIG_IPIPE
+ unsigned short pending, other_ints;
+ #endif
+- old_regs = set_irq_regs(regs);
+-
+- /*
+- * Some hardware gives randomly wrong interrupts. Rather
+- * than crashing, do something sensible.
+- */
+- if (irq >= NR_IRQS)
+- desc = &bad_irq_desc;
++ struct pt_regs *old_regs = set_irq_regs(regs);
+
+ irq_enter();
++
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+ /* Debugging check for stack overflow: is there less than STACK_WARN free? */
+ {
+@@ -147,7 +119,15 @@ asmlinkage void asm_do_IRQ(unsigned int
+ }
+ }
+ #endif
+- generic_handle_irq(irq);
++
++ /*
++ * Some hardware gives randomly wrong interrupts. Rather
++ * than crashing, do something sensible.
++ */
++ if (irq >= NR_IRQS)
++ handle_bad_irq(irq, &bad_irq_desc);
++ else
++ generic_handle_irq(irq);
+
+ #ifndef CONFIG_IPIPE
+ /*
+@@ -171,14 +151,6 @@ asmlinkage void asm_do_IRQ(unsigned int
+
+ void __init init_IRQ(void)
+ {
+- struct irq_desc *desc;
+- int irq;
+-
+- spin_lock_init(&irq_controller_lock);
+- for (irq = 0, desc = irq_desc; irq < NR_IRQS; irq++, desc++) {
+- *desc = bad_irq_desc;
+- }
+-
+ init_arch_irq();
+
+ #ifdef CONFIG_DEBUG_BFIN_HWTRACE_EXPAND
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:30 2009
+Message-Id: <20090717201230.125985614@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:58 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sonic Zhang <sonic.zhang@analog.com>,
+ Mike Frysinger <vapier@gentoo.org>
+Subject: [patch 07/24] Blackfin: fix deadlock in SMP IPI handler
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=blackfin-fix-deadlock-in-smp-ipi-handler.patch
+Content-Length: 2902
+Lines: 79
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Sonic Zhang <sonic.zhang@analog.com>
+
+commit 86f2008bf546af9a434f480710e8d33891616bf5 upstream.
+
+When a low priority interrupt (like ethernet) is triggered between 2 high
+priority IPI messages, a deadlock in disable_irq() is hit by the second
+IPI handler. This is because the second IPI message is queued within the
+first IPI handler, but the handler doesn't process all messages, and new
+ones are inserted rather than appended. So now we process all the pending
+messages, and append new ones to the pending list.
+
+URL: http://blackfin.uclinux.org/gf/tracker/5226
+
+Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/blackfin/mach-common/smp.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/blackfin/mach-common/smp.c
++++ b/arch/blackfin/mach-common/smp.c
+@@ -139,7 +139,7 @@ static void ipi_call_function(unsigned i
+
+ static irqreturn_t ipi_handler(int irq, void *dev_instance)
+ {
+- struct ipi_message *msg, *mg;
++ struct ipi_message *msg;
+ struct ipi_message_queue *msg_queue;
+ unsigned int cpu = smp_processor_id();
+
+@@ -149,7 +149,8 @@ static irqreturn_t ipi_handler(int irq,
+ msg_queue->count++;
+
+ spin_lock(&msg_queue->lock);
+- list_for_each_entry_safe(msg, mg, &msg_queue->head, list) {
++ while (!list_empty(&msg_queue->head)) {
++ msg = list_entry(msg_queue->head.next, typeof(*msg), list);
+ list_del(&msg->list);
+ switch (msg->type) {
+ case BFIN_IPI_RESCHEDULE:
+@@ -216,7 +217,7 @@ int smp_call_function(void (*func)(void
+ for_each_cpu_mask(cpu, callmap) {
+ msg_queue = &per_cpu(ipi_msg_queue, cpu);
+ spin_lock_irqsave(&msg_queue->lock, flags);
+- list_add(&msg->list, &msg_queue->head);
++ list_add_tail(&msg->list, &msg_queue->head);
+ spin_unlock_irqrestore(&msg_queue->lock, flags);
+ platform_send_ipi_cpu(cpu);
+ }
+@@ -256,7 +257,7 @@ int smp_call_function_single(int cpuid,
+
+ msg_queue = &per_cpu(ipi_msg_queue, cpu);
+ spin_lock_irqsave(&msg_queue->lock, flags);
+- list_add(&msg->list, &msg_queue->head);
++ list_add_tail(&msg->list, &msg_queue->head);
+ spin_unlock_irqrestore(&msg_queue->lock, flags);
+ platform_send_ipi_cpu(cpu);
+
+@@ -287,7 +288,7 @@ void smp_send_reschedule(int cpu)
+
+ msg_queue = &per_cpu(ipi_msg_queue, cpu);
+ spin_lock_irqsave(&msg_queue->lock, flags);
+- list_add(&msg->list, &msg_queue->head);
++ list_add_tail(&msg->list, &msg_queue->head);
+ spin_unlock_irqrestore(&msg_queue->lock, flags);
+ platform_send_ipi_cpu(cpu);
+
+@@ -315,7 +316,7 @@ void smp_send_stop(void)
+ for_each_cpu_mask(cpu, callmap) {
+ msg_queue = &per_cpu(ipi_msg_queue, cpu);
+ spin_lock_irqsave(&msg_queue->lock, flags);
+- list_add(&msg->list, &msg_queue->head);
++ list_add_tail(&msg->list, &msg_queue->head);
+ spin_unlock_irqrestore(&msg_queue->lock, flags);
+ platform_send_ipi_cpu(cpu);
+ }
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:30 2009
+Message-Id: <20090717201230.590698517@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:08:59 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Mike Frysinger <vapier@gentoo.org>
+Subject: [patch 08/24] Blackfin: fix command line corruption with DEBUG_DOUBLEFAULT
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=blackfin-fix-command-line-corruption-with-debug_doublefault.patch
+Content-Length: 1308
+Lines: 52
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Mike Frysinger <vapier@gentoo.org>
+
+commit 37082511f06108129bd5f96d625a6fae2d5a4ab4 upstream.
+
+Commit 6b3087c6 (which introduced Blackfin SMP) broke command line passing
+when the DEBUG_DOUBLEFAULT config option was enabled. Switch the code to
+using a scratch register and not R7 which holds the command line.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/blackfin/mach-common/head.S | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/blackfin/mach-common/head.S
++++ b/arch/blackfin/mach-common/head.S
+@@ -126,25 +126,25 @@ ENTRY(__start)
+ * below
+ */
+ GET_PDA(p0, r0);
+- r7 = [p0 + PDA_RETX];
++ r6 = [p0 + PDA_RETX];
+ p1.l = _init_saved_retx;
+ p1.h = _init_saved_retx;
+- [p1] = r7;
++ [p1] = r6;
+
+- r7 = [p0 + PDA_DCPLB];
++ r6 = [p0 + PDA_DCPLB];
+ p1.l = _init_saved_dcplb_fault_addr;
+ p1.h = _init_saved_dcplb_fault_addr;
+- [p1] = r7;
++ [p1] = r6;
+
+- r7 = [p0 + PDA_ICPLB];
++ r6 = [p0 + PDA_ICPLB];
+ p1.l = _init_saved_icplb_fault_addr;
+ p1.h = _init_saved_icplb_fault_addr;
+- [p1] = r7;
++ [p1] = r6;
+
+- r7 = [p0 + PDA_SEQSTAT];
++ r6 = [p0 + PDA_SEQSTAT];
+ p1.l = _init_saved_seqstat;
+ p1.h = _init_saved_seqstat;
+- [p1] = r7;
++ [p1] = r6;
+ #endif
+
+ /* Initialize stack pointer */
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:31 2009
+Message-Id: <20090717201231.001369907@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:00 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 09/24] futex: Fix the write access fault problem for real
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=futex-fix-the-write-access-fault-problem-for-real.patch
+Content-Length: 4095
+Lines: 133
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit d0725992c8a6fb63a16bc9e8b2a50094cc4db3cd and aa715284b4d28cabde6c25c568d769a6be712bc8 upstream
+
+commit 64d1304a64 (futex: setup writeable mapping for futex ops which
+modify user space data) did address only half of the problem of write
+access faults.
+
+The patch was made on two wrong assumptions:
+
+1) access_ok(VERIFY_WRITE,...) would actually check write access.
+
+ On x86 it does _NOT_. It's a pure address range check.
+
+2) a RW mapped region can not go away under us.
+
+ That's wrong as well. Nobody can prevent another thread to call
+ mprotect(PROT_READ) on that region where the futex resides. If that
+ call hits between the get_user_pages_fast() verification and the
+ actual write access in the atomic region we are toast again.
+
+The solution is to not rely on access_ok and get_user() for any write
+access related fault on private and shared futexes. Instead we need to
+fault it in with verification of write access.
+
+There is no generic non destructive write mechanism which would fault
+the user page in trough a #PF, but as we already know that we will
+fault we can as well call get_user_pages() directly and avoid the #PF
+overhead.
+
+If get_user_pages() returns -EFAULT we know that we can not fix it
+anymore and need to bail out to user space.
+
+Remove a bunch of confusing comments on this issue as well.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 42 +++++++++++++++++++++++-------------------
+ 1 file changed, 23 insertions(+), 19 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -278,6 +278,25 @@ void put_futex_key(int fshared, union fu
+ drop_futex_key_refs(key);
+ }
+
++/*
++ * fault_in_user_writeable - fault in user address and verify RW access
++ * @uaddr: pointer to faulting user space address
++ *
++ * Slow path to fixup the fault we just took in the atomic write
++ * access to @uaddr.
++ *
++ * We have no generic implementation of a non destructive write to the
++ * user address. We know that we faulted in the atomic pagefault
++ * disabled section so we can as well avoid the #PF overhead by
++ * calling get_user_pages() right away.
++ */
++static int fault_in_user_writeable(u32 __user *uaddr)
++{
++ int ret = get_user_pages(current, current->mm, (unsigned long)uaddr,
++ 1, 1, 0, NULL, NULL);
++ return ret < 0 ? ret : 0;
++}
++
+ static u32 cmpxchg_futex_value_locked(u32 __user *uaddr, u32 uval, u32 newval)
+ {
+ u32 curval;
+@@ -739,7 +758,6 @@ retry:
+ retry_private:
+ op_ret = futex_atomic_op_inuser(op, uaddr2);
+ if (unlikely(op_ret < 0)) {
+- u32 dummy;
+
+ double_unlock_hb(hb1, hb2);
+
+@@ -757,7 +775,7 @@ retry_private:
+ goto out_put_keys;
+ }
+
+- ret = get_user(dummy, uaddr2);
++ ret = fault_in_user_writeable(uaddr2);
+ if (ret)
+ goto out_put_keys;
+
+@@ -1097,7 +1115,7 @@ retry:
+ handle_fault:
+ spin_unlock(q->lock_ptr);
+
+- ret = get_user(uval, uaddr);
++ ret = fault_in_user_writeable(uaddr);
+
+ spin_lock(q->lock_ptr);
+
+@@ -1552,16 +1570,9 @@ out:
+ return ret;
+
+ uaddr_faulted:
+- /*
+- * We have to r/w *(int __user *)uaddr, and we have to modify it
+- * atomically. Therefore, if we continue to fault after get_user()
+- * below, we need to handle the fault ourselves, while still holding
+- * the mmap_sem. This can occur if the uaddr is under contention as
+- * we have to drop the mmap_sem in order to call get_user().
+- */
+ queue_unlock(&q, hb);
+
+- ret = get_user(uval, uaddr);
++ ret = fault_in_user_writeable(uaddr);
+ if (ret)
+ goto out_put_key;
+
+@@ -1657,17 +1668,10 @@ out:
+ return ret;
+
+ pi_faulted:
+- /*
+- * We have to r/w *(int __user *)uaddr, and we have to modify it
+- * atomically. Therefore, if we continue to fault after get_user()
+- * below, we need to handle the fault ourselves, while still holding
+- * the mmap_sem. This can occur if the uaddr is under contention as
+- * we have to drop the mmap_sem in order to call get_user().
+- */
+ spin_unlock(&hb->lock);
+ put_futex_key(fshared, &key);
+
+- ret = get_user(uval, uaddr);
++ ret = fault_in_user_writeable(uaddr);
+ if (!ret)
+ goto retry;
+
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:31 2009
+Message-Id: <20090717201231.389120722@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:01 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sonny Rao <sonnyrao@us.ibm.com>,
+ Thomas Gleixner <tglx@linutronix.de>,
+ anton@samba.org,
+ rajamony@us.ibm.com,
+ speight@us.ibm.com,
+ mstephen@us.ibm.com,
+ grimm@us.ibm.com,
+ mikey@ozlabs.au.ibm.com,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 10/24] futexes: Fix infinite loop in get_futex_key() on huge page
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=futexes-fix-infinite-loop-in-get_futex_key-on-huge-page.patch
+Content-Length: 1113
+Lines: 40
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Sonny Rao <sonnyrao@us.ibm.com>
+
+commit ce2ae53b750abfaa012ce408e93da131a5b5649b upstream.
+
+get_futex_key() can infinitely loop if it is called on a
+virtual address that is within a huge page but not aligned to
+the beginning of that page. The call to get_user_pages_fast
+will return the struct page for a sub-page within the huge page
+and the check for page->mapping will always fail.
+
+The fix is to call compound_head on the page before checking
+that it's mapped.
+
+Signed-off-by: Sonny Rao <sonnyrao@us.ibm.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: anton@samba.org
+Cc: rajamony@us.ibm.com
+Cc: speight@us.ibm.com
+Cc: mstephen@us.ibm.com
+Cc: grimm@us.ibm.com
+Cc: mikey@ozlabs.au.ibm.com
+LKML-Reference: <20090710231313.GA23572@us.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -241,6 +241,7 @@ again:
+ if (err < 0)
+ return err;
+
++ page = compound_head(page);
+ lock_page(page);
+ if (!page->mapping) {
+ unlock_page(page);
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:32 2009
+Message-Id: <20090717201231.896581307@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:02 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Zhang Rui <rui.zhang@intel.com>,
+ Pierre Ossman <drzeus@drzeus.cx>,
+ Jesse Barnes <jbarnes@virtuousgeek.org>
+Subject: [patch 11/24] kernel/resource.c: fix sign extension in reserve_setup()
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=kernel-resource.c-fix-sign-extension-in-reserve_setup.patch
+Content-Length: 1127
+Lines: 36
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit 8bc1ad7dd301b7ca7454013519fa92e8c53655ff upstream.
+
+When the 32-bit signed quantities get assigned to the u64 resource_size_t,
+they are incorrectly sign-extended.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Reported-by: Leann Ogasawara <leann@ubuntu.com>
+Cc: Pierre Ossman <drzeus@drzeus.cx>
+Reported-by: <pablomme@googlemail.com>
+Tested-by: <pablomme@googlemail.com>
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -787,7 +787,7 @@ static int __init reserve_setup(char *st
+ static struct resource reserve[MAXRESERVE];
+
+ for (;;) {
+- int io_start, io_num;
++ unsigned int io_start, io_num;
+ int x = reserved;
+
+ if (get_option (&str, &io_start) != 2)
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:32 2009
+Message-Id: <20090717201232.491501823@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:03 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tejun Heo <tj@kernel.org>,
+ Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
+ Richard Henderson <rth@twiddle.net>
+Subject: [patch 12/24] alpha: fix percpu build breakage
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=alpha-fix-percpu-build-breakage.patch
+Content-Length: 3110
+Lines: 88
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Tejun Heo <tj@kernel.org>
+
+commit b01e8dc34379f4ba2f454390e340a025edbaaa7e upstream.
+
+alpha percpu access requires custom SHIFT_PERCPU_PTR() definition for
+modules to work around addressing range limitation. This is done via
+generating inline assembly using C preprocessing which forces the
+assembler to generate external reference. This happens behind the
+compiler's back and makes the compiler think that static percpu variables
+in modules are unused.
+
+This used to be worked around by using __unused attribute for percpu
+variables which prevent the compiler from omitting the variable; however,
+recent declare/definition attribute unification change broke this as
+__used can't be used for declaration. Also, in the process,
+PER_CPU_ATTRIBUTES definition in alpha percpu.h got broken.
+
+This patch adds PER_CPU_DEF_ATTRIBUTES which is only used for definitions
+and make alpha use it to add __used for percpu variables in modules. This
+also fixes the PER_CPU_ATTRIBUTES double definition bug.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Tested-by: maximilian attems <max@stro.at>
+Acked-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/alpha/include/asm/percpu.h | 6 +++---
+ include/asm-generic/percpu.h | 4 ++++
+ include/linux/percpu-defs.h | 3 ++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/alpha/include/asm/percpu.h
++++ b/arch/alpha/include/asm/percpu.h
+@@ -30,7 +30,7 @@ extern unsigned long __per_cpu_offset[NR
+
+ #ifndef MODULE
+ #define SHIFT_PERCPU_PTR(var, offset) RELOC_HIDE(&per_cpu_var(var), (offset))
+-#define PER_CPU_ATTRIBUTES
++#define PER_CPU_DEF_ATTRIBUTES
+ #else
+ /*
+ * To calculate addresses of locally defined variables, GCC uses 32-bit
+@@ -49,7 +49,7 @@ extern unsigned long __per_cpu_offset[NR
+ : "=&r"(__ptr), "=&r"(tmp_gp)); \
+ (typeof(&per_cpu_var(var)))(__ptr + (offset)); })
+
+-#define PER_CPU_ATTRIBUTES __used
++#define PER_CPU_DEF_ATTRIBUTES __used
+
+ #endif /* MODULE */
+
+@@ -71,7 +71,7 @@ extern unsigned long __per_cpu_offset[NR
+ #define __get_cpu_var(var) per_cpu_var(var)
+ #define __raw_get_cpu_var(var) per_cpu_var(var)
+
+-#define PER_CPU_ATTRIBUTES
++#define PER_CPU_DEF_ATTRIBUTES
+
+ #endif /* SMP */
+
+--- a/include/asm-generic/percpu.h
++++ b/include/asm-generic/percpu.h
+@@ -97,4 +97,8 @@ extern void setup_per_cpu_areas(void);
+ #define PER_CPU_ATTRIBUTES
+ #endif
+
++#ifndef PER_CPU_DEF_ATTRIBUTES
++#define PER_CPU_DEF_ATTRIBUTES
++#endif
++
+ #endif /* _ASM_GENERIC_PERCPU_H_ */
+--- a/include/linux/percpu-defs.h
++++ b/include/linux/percpu-defs.h
+@@ -24,7 +24,8 @@
+
+ #define DEFINE_PER_CPU_SECTION(type, name, section) \
+ __attribute__((__section__(PER_CPU_BASE_SECTION section))) \
+- PER_CPU_ATTRIBUTES __typeof__(type) per_cpu__##name
++ PER_CPU_ATTRIBUTES PER_CPU_DEF_ATTRIBUTES \
++ __typeof__(type) per_cpu__##name
+
+ /*
+ * Variant on the per-CPU variable declaration/definition theme used for
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:33 2009
+Message-Id: <20090717201232.906038306@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:04 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Joerg Roedel <joerg.roedel@amd.com>
+Subject: [patch 13/24] dma-debug: fix off-by-one error in overlap function
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=dma-debug-fix-off-by-one-error-in-overlap-function.patch
+Content-Length: 879
+Lines: 28
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit c79ee4e466dd12347f112e2af306dca35198458f upstream.
+
+This patch fixes a bug in the overlap function which returned true if
+one region ends exactly before the second region begins. This is no
+overlap but the function returned true in that case.
+
+Reported-by: Andrew Randrianasulu <randrik@mail.ru>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/dma-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/dma-debug.c
++++ b/lib/dma-debug.c
+@@ -599,7 +599,7 @@ static inline bool overlap(void *addr, u
+
+ return ((addr >= start && addr < end) ||
+ (addr2 >= start && addr2 < end) ||
+- ((addr < start) && (addr2 >= end)));
++ ((addr < start) && (addr2 > end)));
+ }
+
+ static void check_for_illegal_area(struct device *dev, void *addr, u64 size)
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:33 2009
+Message-Id: <20090717201233.513527878@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:05 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ken Milmore <ken.milmore@googlemail.com>,
+ NeilBrown <neilb@suse.de>,
+ Jens Axboe <jens.axboe@oracle.com>
+Subject: [patch 14/24] blocK: Restore barrier support for md and probably other virtual devices.
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=block-restore-barrier-support-for-md-and-probably-other-virtual-devices.patch
+Content-Length: 1590
+Lines: 51
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: NeilBrown <neilb@suse.de>
+
+commit db64f680ba4b5c56c4be59f0698000df89ff0281 upstream.
+
+The next_ordered flag is only meaningful for devices that use __make_request.
+So move the test against next_ordered out of generic code and in to
+__make_request
+
+Since this test was added, barriers have not worked on md or any
+devices that don't use __make_request and so don't bother to set
+next_ordered. (dm explicitly sets something other than
+QUEUE_ORDERED_NONE since
+ commit 99360b4c18f7675b50d283301d46d755affe75fd
+but notes in the comments that it is otherwise meaningless).
+
+Cc: Ken Milmore <ken.milmore@googlemail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1158,6 +1158,11 @@ static int __make_request(struct request
+
+ nr_sectors = bio_sectors(bio);
+
++ if (bio_barrier(bio) && bio_has_data(bio) &&
++ (q->next_ordered == QUEUE_ORDERED_NONE)) {
++ bio_endio(bio, -EOPNOTSUPP);
++ return 0;
++ }
+ /*
+ * low level driver can indicate that it wants pages above a
+ * certain limit bounced to low memory (ie for highmem, or even
+@@ -1461,11 +1466,6 @@ static inline void __generic_make_reques
+ err = -EOPNOTSUPP;
+ goto end_io;
+ }
+- if (bio_barrier(bio) && bio_has_data(bio) &&
+- (q->next_ordered == QUEUE_ORDERED_NONE)) {
+- err = -EOPNOTSUPP;
+- goto end_io;
+- }
+
+ ret = q->make_request_fn(q, bio);
+ } while (ret);
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:34 2009
+Message-Id: <20090717201234.071675916@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:06 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ NeilBrown <neilb@suse.de>
+Subject: [patch 15/24] md/raid5: suspend shouldnt affect read requests.
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=md-raid5-suspend-shouldn-t-affect-read-requests.patch
+Content-Length: 883
+Lines: 25
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: NeilBrown <neilb@suse.de>
+
+commit a5c308d4d1659b1f4833b863394e3e24cdbdfc6e upstream.
+
+md allows write to regions on an array to be suspended temporarily.
+This allows user-space to participate is aspects of reshape.
+In particular, data can be copied with not risk of a race.
+We should not be blocking read requests though, so don't.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3702,7 +3702,8 @@ static int make_request(struct request_queue *q, struct bio * bi)
+ /* FIXME what if we get a false positive because these
+ * are being updated.
+ */
+- if (logical_sector >= mddev->suspend_lo &&
++ if (bio_data_dir(bi) == WRITE &&
++ logical_sector >= mddev->suspend_lo &&
+ logical_sector < mddev->suspend_hi) {
+ release_stripe(sh);
+ schedule();
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:34 2009
+Message-Id: <20090717201234.451772052@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:07 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ NeilBrown <neilb@suse.de>
+Subject: [patch 16/24] md: fix error path when duplicate name is found on md device creation.
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=md-fix-error-path-when-duplicate-name-is-found-on-md-device-creation.patch
+Content-Length: 888
+Lines: 30
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: NeilBrown <neilb@suse.de>
+
+commit 1ec22eb2b4a2e1a763106bce36b11c02eaa84e61 upstream.
+
+When an md device is created by name (rather than number) we need to
+check that the name is not already in use. If this check finds a
+duplicate, we return an error without dropping the lock or freeing
+the newly create mddev.
+This patch fixes that.
+
+Found-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/md.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3876,6 +3876,8 @@ static int md_alloc(dev_t dev, char *nam
+ if (mddev2->gendisk &&
+ strcmp(mddev2->gendisk->disk_name, name) == 0) {
+ spin_unlock(&all_mddevs_lock);
++ mutex_unlock(&disks_mutex);
++ mddev_put(mddev);
+ return -EEXIST;
+ }
+ spin_unlock(&all_mddevs_lock);
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:35 2009
+Message-Id: <20090717201235.020571302@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:08 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ NeilBrown <neilb@suse.de>
+Subject: [patch 17/24] md: avoid dereferencing NULL pointer when accessing suspend_* sysfs attributes.
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=md-avoid-dereferencing-null-pointer-when-accessing-suspend_-sysfs-attributes.patch
+Content-Length: 1085
+Lines: 39
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: NeilBrown <neilb@suse.de>
+
+commit b8d966efd9a46a9a35beac50cbff6e30565125ef upstream.
+
+If we try to modify one of the md/ sysfs files
+ suspend_lo or suspend_hi
+when the array is not active, we dereference a NULL.
+Protect against that.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/md.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3589,7 +3589,8 @@ suspend_lo_store(mddev_t *mddev, const c
+ char *e;
+ unsigned long long new = simple_strtoull(buf, &e, 10);
+
+- if (mddev->pers->quiesce == NULL)
++ if (mddev->pers == NULL ||
++ mddev->pers->quiesce == NULL)
+ return -EINVAL;
+ if (buf == e || (*e && *e != '\n'))
+ return -EINVAL;
+@@ -3617,7 +3618,8 @@ suspend_hi_store(mddev_t *mddev, const c
+ char *e;
+ unsigned long long new = simple_strtoull(buf, &e, 10);
+
+- if (mddev->pers->quiesce == NULL)
++ if (mddev->pers == NULL ||
++ mddev->pers->quiesce == NULL)
+ return -EINVAL;
+ if (buf == e || (*e && *e != '\n'))
+ return -EINVAL;
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:35 2009
+Message-Id: <20090717201235.532748898@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:09 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Eric W. Biederman" <ebiederm@aristanetworks.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 18/24] Revert "ipv4: arp announce, arp_proxy and windows ip conflict verification"
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=revert-ipv4-arp-announce-arp_proxy-and-windows-ip-conflict-verification.patch
+Content-Length: 1477
+Lines: 43
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit f8a68e752bc4e39644843403168137663c984524 upstream.
+
+This reverts commit 73ce7b01b4496a5fbf9caf63033c874be692333f.
+
+After discovering that we don't listen to gratuitious arps in 2.6.30
+I tracked the failure down to this commit.
+
+The patch makes absolutely no sense. RFC2131 RFC3927 and RFC5227.
+are all in agreement that an arp request with sip == 0 should be used
+for the probe (to prevent learning) and an arp request with sip == tip
+should be used for the gratitous announcement that people can learn
+from.
+
+It appears the author of the broken patch got those two cases confused
+and modified the code to drop all gratuitous arp traffic. Ouch!
+
+Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/arp.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -801,11 +801,8 @@ static int arp_process(struct sk_buff *s
+ * cache.
+ */
+
+- /*
+- * Special case: IPv4 duplicate address detection packet (RFC2131)
+- * and Gratuitous ARP/ARP Announce. (RFC3927, Section 2.4)
+- */
+- if (sip == 0 || tip == sip) {
++ /* Special case: IPv4 duplicate address detection packet (RFC2131) */
++ if (sip == 0) {
+ if (arp->ar_op == htons(ARPOP_REQUEST) &&
+ inet_addr_type(net, tip) == RTN_LOCAL &&
+ !arp_ignore(in_dev, sip, tip))
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:36 2009
+Message-Id: <20090717201236.180300826@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:10 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jiri Slaby <jirislaby@gmail.com>,
+ Jens Axboe <jens.axboe@oracle.com>
+Subject: [patch 19/24] floppy: fix lock imbalance
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=floppy-fix-lock-imbalance.patch
+Content-Length: 978
+Lines: 33
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 8516a500029890a72622d245f8ed32c4e30969b7 upstream.
+
+A crappy macro prevents us unlocking on a fail path.
+
+Expand the macro and unlock appropriatelly.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3327,7 +3327,10 @@ static inline int set_geometry(unsigned
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ mutex_lock(&open_lock);
+- LOCK_FDC(drive, 1);
++ if (lock_fdc(drive, 1)) {
++ mutex_unlock(&open_lock);
++ return -EINTR;
++ }
+ floppy_type[type] = *g;
+ floppy_type[type].name = "user format";
+ for (cnt = type << 2; cnt < (type << 2) + 4; cnt++)
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:36 2009
+Message-Id: <20090717201236.713006028@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:11 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Woodhouse <David.Woodhouse@intel.com>
+Subject: [patch 20/24] Fix pci_unmap_addr() et al on i386.
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=fix-pci_unmap_addr-et-al-on-i386.patch
+Content-Length: 1127
+Lines: 33
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit 788d84bba47ea3eb377f7a3ae4fd1ee84b84877b upstream.
+
+We can run a 32-bit kernel on boxes with an IOMMU, so we need
+pci_unmap_addr() etc. to work -- without it, drivers will leak mappings.
+
+To be honest, this whole thing looks like it's more pain than it's
+worth; I'm half inclined to remove the no-op #else case altogether.
+
+But this is the minimal fix, which just does the right thing if
+CONFIG_DMAR is set.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/pci.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/pci.h
++++ b/arch/x86/include/asm/pci.h
+@@ -91,7 +91,7 @@ extern void pci_iommu_alloc(void);
+
+ #define PCI_DMA_BUS_IS_PHYS (dma_ops->is_phys)
+
+-#if defined(CONFIG_X86_64) || defined(CONFIG_DMA_API_DEBUG)
++#if defined(CONFIG_X86_64) || defined(CONFIG_DMAR) || defined(CONFIG_DMA_API_DEBUG)
+
+ #define DECLARE_PCI_UNMAP_ADDR(ADDR_NAME) \
+ dma_addr_t ADDR_NAME;
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:37 2009
+Message-Id: <20090717201237.072896951@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:12 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Woodhouse <David.Woodhouse@intel.com>,
+ mark gross <mgross@linux.intel.com>
+Subject: [patch 21/24] Fix iommu address space allocation
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=fix-iommu-address-space-allocation.patch
+Content-Length: 2426
+Lines: 66
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit a15a519ed6e5e644f5a33c213c00b0c1d3cfe683 upstream.
+
+This fixes kernel.org bug #13584. The IOVA code attempted to optimise
+the insertion of new ranges into the rbtree, with the unfortunate result
+that some ranges just didn't get inserted into the tree at all. Then
+those ranges would be handed out more than once, and things kind of go
+downhill from there.
+
+Introduced after 2.6.25 by ddf02886cbe665d67ca750750196ea5bf524b10b
+("PCI: iova RB tree setup tweak").
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Cc: mark gross <mgross@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/iova.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/iova.c
++++ b/drivers/pci/iova.c
+@@ -1,9 +1,19 @@
+ /*
+- * Copyright (c) 2006, Intel Corporation.
++ * Copyright © 2006-2009, Intel Corporation.
+ *
+- * This file is released under the GPLv2.
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
++ * Place - Suite 330, Boston, MA 02111-1307 USA.
+ *
+- * Copyright (C) 2006-2008 Intel Corporation
+ * Author: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+ */
+
+@@ -123,7 +133,15 @@ move_left:
+ /* Insert the new_iova into domain rbtree by holding writer lock */
+ /* Add new node and rebalance tree. */
+ {
+- struct rb_node **entry = &((prev)), *parent = NULL;
++ struct rb_node **entry, *parent = NULL;
++
++ /* If we have 'prev', it's a valid place to start the
++ insertion. Otherwise, start from the root. */
++ if (prev)
++ entry = &prev;
++ else
++ entry = &iovad->rbroot.rb_node;
++
+ /* Figure out where to put new node */
+ while (*entry) {
+ struct iova *this = container_of(*entry,
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:37 2009
+Message-Id: <20090717201237.635913901@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:13 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Miklos Szeredi <mszeredi@suse.cz>
+Subject: [patch 22/24] fuse: fix bad return value in fuse_file_poll()
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=fuse-fix-bad-return-value-in-fuse_file_poll.patch
+Content-Length: 626
+Lines: 26
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 201fa69a2849536ef2912e8e971ec0b01c04eff4 upstream.
+
+Fix fuse_file_poll() which returned a -errno value instead of a poll
+mask.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1867,7 +1867,7 @@ static unsigned fuse_file_poll(struct fi
+
+ req = fuse_get_req(fc);
+ if (IS_ERR(req))
+- return PTR_ERR(req);
++ return POLLERR;
+
+ req->in.h.opcode = FUSE_POLL;
+ req->in.h.nodeid = get_node_id(inode);
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:38 2009
+Message-Id: <20090717201237.955389551@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:14 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Miklos Szeredi <mszeredi@suse.cz>
+Subject: [patch 23/24] fuse: fix return value of fuse_dev_write()
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=fuse-fix-return-value-of-fuse_dev_write.patch
+Content-Length: 981
+Lines: 31
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Csaba Henk <csaba@gluster.com>
+
+commit b4c458b3a23d76936e76678f2074b1528f129f7a upstream.
+
+On 64 bit systems -- where sizeof(ssize_t) > sizeof(int) -- the following test
+exposes a bug due to a non-careful return of an int or unsigned value:
+
+implement a FUSE filesystem which sends an unsolicited notification to
+the kernel with invalid opcode. The respective write to /dev/fuse
+will return (1 << 32) - EINVAL with errno == 0 instead of -1 with
+errno == EINVAL.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fuse/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -904,7 +904,7 @@ static ssize_t fuse_dev_write(struct kio
+ unsigned long nr_segs, loff_t pos)
+ {
+ int err;
+- unsigned nbytes = iov_length(iov, nr_segs);
++ size_t nbytes = iov_length(iov, nr_segs);
+ struct fuse_req *req;
+ struct fuse_out_header oh;
+ struct fuse_copy_state cs;
+
+
+From gregkh@mini.kroah.org Fri Jul 17 13:12:38 2009
+Message-Id: <20090717201238.142701426@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 17 Jul 2009 13:09:15 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 24/24] Dont use -fwrapv compiler option: its buggy in gcc-4.1.x
+References: <20090717200851.907421303@mini.kroah.org>
+Content-Disposition: inline; filename=don-t-use-fwrapv-compiler-option-it-s-buggy-in-gcc-4.1.x.patch
+Content-Length: 1581
+Lines: 41
+
+2.6.30-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a137802ee839ace40079bebde24cfb416f73208a upstream.
+
+This causes kernel images that don't run init to completion with certain
+broken gcc versions.
+
+This fixes kernel bugzilla entry:
+ http://bugzilla.kernel.org/show_bug.cgi?id=13012
+
+I suspect the gcc problem is this:
+ http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230
+
+Fix the problem by using the -fno-strict-overflow flag instead, which
+not only does not exist in the known-to-be-broken versions of gcc (it
+was introduced later than fwrapv), but seems to be much less disturbing
+to gcc too: the difference in the generated code by -fno-strict-overflow
+are smaller (compared to using neither flag) than when using -fwrapv.
+
+Reported-by: Barry K. Nathan <barryn@pobox.com>
+Pushed-by: Frans Pop <elendil@planet.nl>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -574,7 +574,7 @@ KBUILD_CFLAGS += $(call cc-option,-Wdecl
+ KBUILD_CFLAGS += $(call cc-option,-Wno-pointer-sign,)
+
+ # disable invalid "can't wrap" optimizations for signed / pointers
+-KBUILD_CFLAGS += $(call cc-option,-fwrapv)
++KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
+
+ # revert to pre-gcc-4.4 behaviour of .eh_frame
+ KBUILD_CFLAGS += $(call cc-option,-fno-dwarf2-cfi-asm)
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
