--- /dev/null
+From e134d200d57d43b171dcb0b55c178a1a0c7db14a Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 21 Apr 2010 10:28:25 +0100
+Subject: CRED: Fix a race in creds_are_invalid() in credentials debugging
+
+From: David Howells <dhowells@redhat.com>
+
+commit e134d200d57d43b171dcb0b55c178a1a0c7db14a upstream.
+
+creds_are_invalid() reads both cred->usage and cred->subscribers and then
+compares them to make sure the number of processes subscribed to a cred struct
+never exceeds the refcount of that cred struct.
+
+The problem is that this can cause a race with both copy_creds() and
+exit_creds() as the two counters, whilst they are of atomic_t type, are only
+atomic with respect to themselves, and not atomic with respect to each other.
+
+This means that if creds_are_invalid() can read the values on one CPU whilst
+they're being modified on another CPU, and so can observe an evolving state in
+which the subscribers count now is greater than the usage count a moment
+before.
+
+Switching the order in which the counts are read cannot help, so the thing to
+do is to remove that particular check.
+
+I had considered rechecking the values to see if they're in flux if the test
+fails, but I can't guarantee they won't appear the same, even if they've
+changed several times in the meantime.
+
+Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled.
+
+The problem is only likely to occur with multithreaded programs, and can be
+tested by the tst-eintr1 program from glibc's "make check". The symptoms look
+like:
+
+ CRED: Invalid credentials
+ CRED: At include/linux/cred.h:240
+ CRED: Specified credentials: ffff88003dda5878 [real][eff]
+ CRED: ->magic=43736564, put_addr=(null)
+ CRED: ->usage=766, subscr=766
+ CRED: ->*uid = { 0,0,0,0 }
+ CRED: ->*gid = { 0,0,0,0 }
+ CRED: ->security is ffff88003d72f538
+ CRED: ->security {359, 359}
+ ------------[ cut here ]------------
+ kernel BUG at kernel/cred.c:850!
+ ...
+ RIP: 0010:[<ffffffff81049889>] [<ffffffff81049889>] __invalid_creds+0x4e/0x52
+ ...
+ Call Trace:
+ [<ffffffff8104a37b>] copy_creds+0x6b/0x23f
+
+Note the ->usage=766 and subscr=766. The values appear the same because
+they've been re-read since the check was made.
+
+Reported-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cred.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -786,8 +786,6 @@ bool creds_are_invalid(const struct cred
+ {
+ if (cred->magic != CRED_MAGIC)
+ return true;
+- if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
+- return true;
+ #ifdef CONFIG_SECURITY_SELINUX
+ if (selinux_is_enabled()) {
+ if ((unsigned long) cred->security < PAGE_SIZE)
--- /dev/null
+From 088ea189c4c75cdf211146faa4b341a0f7476be6 Mon Sep 17 00:00:00 2001
+From: Darren Jenkins <darrenrjenkins@gmail.com>
+Date: Wed, 17 Feb 2010 23:40:15 +1100
+Subject: drivers/net/wireless/p54/txrx.c Fix off by one error
+
+From: Darren Jenkins <darrenrjenkins@gmail.com>
+
+commit 088ea189c4c75cdf211146faa4b341a0f7476be6 upstream.
+
+fix off by one error in the queue size check of p54_tx_qos_accounting_alloc()
+
+Coverity CID: 13314
+
+Signed-off-by: Darren Jenkins <darrenrjenkins@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/p54/txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/p54/txrx.c
++++ b/drivers/net/wireless/p54/txrx.c
+@@ -186,7 +186,7 @@ static int p54_tx_qos_accounting_alloc(s
+ struct ieee80211_tx_queue_stats *queue;
+ unsigned long flags;
+
+- if (WARN_ON(p54_queue > P54_QUEUE_NUM))
++ if (WARN_ON(p54_queue >= P54_QUEUE_NUM))
+ return -EINVAL;
+
+ queue = &priv->tx_stats[p54_queue];
--- /dev/null
+From aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 Mon Sep 17 00:00:00 2001
+From: Leonard Michlmayr <leonard.michlmayr@gmail.com>
+Date: Thu, 4 Mar 2010 17:07:28 -0500
+Subject: ext4: correctly calculate number of blocks for fiemap
+
+From: Leonard Michlmayr <leonard.michlmayr@gmail.com>
+
+commit aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 upstream.
+
+ext4_fiemap() rounds the length of the requested range down to
+blocksize, which is is not the true number of blocks that cover the
+requested region. This problem is especially impressive if the user
+requests only the first byte of a file: not a single extent will be
+reported.
+
+We fix this by calculating the last block of the region and then
+subtract to find the number of blocks in the extents.
+
+Signed-off-by: Leonard Michlmayr <leonard.michlmayr@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/extents.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3767,7 +3767,6 @@ int ext4_fiemap(struct inode *inode, str
+ __u64 start, __u64 len)
+ {
+ ext4_lblk_t start_blk;
+- ext4_lblk_t len_blks;
+ int error = 0;
+
+ /* fallback to generic here if not in extents fmt */
+@@ -3781,8 +3780,14 @@ int ext4_fiemap(struct inode *inode, str
+ if (fieinfo->fi_flags & FIEMAP_FLAG_XATTR) {
+ error = ext4_xattr_fiemap(inode, fieinfo);
+ } else {
++ ext4_lblk_t len_blks;
++ __u64 last_blk;
++
+ start_blk = start >> inode->i_sb->s_blocksize_bits;
+- len_blks = len >> inode->i_sb->s_blocksize_bits;
++ last_blk = (start + len - 1) >> inode->i_sb->s_blocksize_bits;
++ if (last_blk >= EXT_MAX_BLOCK)
++ last_blk = EXT_MAX_BLOCK-1;
++ len_blks = ((ext4_lblk_t) last_blk) - start_blk + 1;
+
+ /*
+ * Walk the extent tree gathering extent information.
--- /dev/null
+From df37bd156dcb4f5441beaf5bde444adac974e9a0 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@lougher.demon.co.uk>
+Date: Fri, 23 Apr 2010 13:18:11 -0400
+Subject: initramfs: handle unrecognised decompressor when unpacking
+
+From: Phillip Lougher <phillip@lougher.demon.co.uk>
+
+commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream.
+
+The unpack routine fails to handle the decompress_method() returning
+unrecognised decompressor (compress_name == NULL). This results in the
+routine looping eventually oopsing on an out of bounds memory access.
+
+Note this bug is usually hidden, only triggering on trailing junk after
+one or more correct compressed blocks. The case of the compressed archive
+being complete junk is (by accident?) caught by the if (state != Reset)
+check because state is initialised to Start, but not updated due to the
+decompressor not having been called. Obviously if the junk is trailing a
+correctly decompressed buffer, state == Reset from the previous call to
+the decompressor.
+
+Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ init/initramfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(ch
+ compress_name);
+ message = msg_buf;
+ }
+- }
++ } else
++ error("junk in compressed archive");
+ if (state != Reset)
+ error("junk in compressed archive");
+ this_header = saved_offset + my_inptr;
--- /dev/null
+From 2b0b39517d1af5294128dbc2fd7ed39c8effa540 Mon Sep 17 00:00:00 2001
+From: Bill Pemberton <wfp5p@virginia.edu>
+Date: Fri, 16 Apr 2010 08:01:20 -0500
+Subject: jfs: fix diAllocExt error in resizing filesystem
+
+From: Bill Pemberton <wfp5p@virginia.edu>
+
+commit 2b0b39517d1af5294128dbc2fd7ed39c8effa540 upstream.
+
+Resizing the filesystem would result in an diAllocExt error in some
+instances because changes in bmp->db_agsize would not get noticed if
+goto extendBmap was called.
+
+Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
+Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+Cc: jfs-discussion@lists.sourceforge.net
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/jfs/resize.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/jfs/resize.c
++++ b/fs/jfs/resize.c
+@@ -81,6 +81,7 @@ int jfs_extendfs(struct super_block *sb,
+ struct inode *iplist[1];
+ struct jfs_superblock *j_sb, *j_sb2;
+ uint old_agsize;
++ int agsizechanged = 0;
+ struct buffer_head *bh, *bh2;
+
+ /* If the volume hasn't grown, get out now */
+@@ -333,6 +334,9 @@ int jfs_extendfs(struct super_block *sb,
+ */
+ if ((rc = dbExtendFS(ipbmap, XAddress, nblocks)))
+ goto error_out;
++
++ agsizechanged |= (bmp->db_agsize != old_agsize);
++
+ /*
+ * the map now has extended to cover additional nblocks:
+ * dn_mapsize = oldMapsize + nblocks;
+@@ -432,7 +436,7 @@ int jfs_extendfs(struct super_block *sb,
+ * will correctly identify the new ag);
+ */
+ /* if new AG size the same as old AG size, done! */
+- if (bmp->db_agsize != old_agsize) {
++ if (agsizechanged) {
+ if ((rc = diExtendFS(ipimap, ipbmap)))
+ goto error_out;
+
--- /dev/null
+From 45c4d015a92f72ec47acd0c7557abdc0c8a6499d Mon Sep 17 00:00:00 2001
+From: Mark Lord <kernel@teksavvy.com>
+Date: Wed, 7 Apr 2010 13:52:08 -0400
+Subject: libata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2)
+
+From: Mark Lord <kernel@teksavvy.com>
+
+commit 45c4d015a92f72ec47acd0c7557abdc0c8a6499d upstream.
+
+Most drives from Seagate, Hitachi, and possibly other brands,
+do not allow LBA28 access to sector number 0x0fffffff (2^28 - 1).
+So instead use LBA48 for such accesses.
+
+This bug could bite a lot of systems, especially when the user has
+taken care to align partitions to 4KB boundaries. On misaligned systems,
+it is less likely to be encountered, since a 4KB read would end at
+0x10000000 rather than at 0x0fffffff.
+
+Signed-off-by: Mark Lord <mlord@pobox.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/ata.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -1024,8 +1024,8 @@ static inline int ata_ok(u8 status)
+
+ static inline int lba_28_ok(u64 block, u32 n_block)
+ {
+- /* check the ending block number */
+- return ((block + n_block) < ((u64)1 << 28)) && (n_block <= 256);
++ /* check the ending block number: must be LESS THAN 0x0fffffff */
++ return ((block + n_block) < ((1 << 28) - 1)) && (n_block <= 256);
+ }
+
+ static inline int lba_48_ok(u64 block, u32 n_block)
--- /dev/null
+From cc2893b6af5265baa1d68b17b136cffca9e40cfa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Thu, 22 Apr 2010 09:30:51 -0400
+Subject: PCI: Ensure we re-enable devices on resume
+
+From: Matthew Garrett <mjg@redhat.com>
+
+commit cc2893b6af5265baa1d68b17b136cffca9e40cfa upstream.
+
+If the firmware puts a device back into D0 state at resume time, we'll
+update its state in resume_noirq and thus skip the platform resume code.
+Calling that code twice should be safe and we ought to avoid getting to
+that point anyway, so remove the check and also allow the platform pci
+code to be called for D0.
+
+Fixes USB not being powered after resume on recent Lenovo machines.
+
+Acked-by: Alex Chiang <achiang@canonical.com>
+Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/pci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -624,7 +624,7 @@ static void __pci_start_power_transition
+ */
+ int __pci_complete_power_transition(struct pci_dev *dev, pci_power_t state)
+ {
+- return state > PCI_D0 ?
++ return state >= PCI_D0 ?
+ pci_platform_power_transition(dev, state) : -EINVAL;
+ }
+ EXPORT_SYMBOL_GPL(__pci_complete_power_transition);
+@@ -661,10 +661,6 @@ int pci_set_power_state(struct pci_dev *
+ */
+ return 0;
+
+- /* Check if we're already there */
+- if (dev->current_state == state)
+- return 0;
+-
+ __pci_start_power_transition(dev, state);
+
+ /* This device is quirked not to be put into D3, so
alsa-hda-fix-0-db-for-packard-bell-models-using-conexant-cx20549-venice.patch
alsa-hda-use-olpc-xo-1_5-quirk-for-toshiba-satellite-pro-t130-15f.patch
alsa-hda-use-olpc-xo-1_5-quirk-for-toshiba-satellite-p500-pspgsc-01800t.patch
+pci-ensure-we-re-enable-devices-on-resume.patch
+libata-fix-accesses-at-lba28-boundary-old-bug-but-nasty-v2.patch
+ext4-correctly-calculate-number-of-blocks-for-fiemap.patch
+initramfs-handle-unrecognised-decompressor-when-unpacking.patch
+cred-fix-a-race-in-creds_are_invalid-in-credentials-debugging.patch
+jfs-fix-diallocext-error-in-resizing-filesystem.patch
+drivers-net-wireless-p54-txrx.c-fix-off-by-one-error.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
