--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 10 01:47:53 2007
+From: Nick Piggin <npiggin@suse.de>
+Date: Sat, 10 Feb 2007 01:46:22 -0800
+Subject: buffer: memorder fix
+To: torvalds@linux-foundation.org
+Cc: npiggin@suse.de, akpm@linux-foundation.org, cmm@us.ibm.com, stable@kernel.org
+Message-ID: <200702100946.l1A9kM3s009363@shell0.pdx.osdl.net>
+
+
+From: Nick Piggin <npiggin@suse.de>
+
+unlock_buffer(), like unlock_page(), must not clear the lock without
+ensuring that the critical section is closed.
+
+
+Mingming later sent the same patch, saying:
+
+We are running SDET benchmark and saw double free issue for ext3 extended
+attributes block, which complains the same xattr block already being freed (in
+ext3_xattr_release_block()). The problem could also been triggered by
+multiple threads loop untar/rm a kernel tree.
+
+The race is caused by missing a memory barrier at unlock_buffer() before the
+lock bit being cleared, resulting in possible concurrent h_refcounter update.
+That causes a reference counter leak, then later leads to the double free that
+we have seen.
+
+Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
+bit is being cleared, however, there is no memory barrier *before* the bit is
+cleared. On some arch the h_refcount update instruction and the clear bit
+instruction could be reordered, thus leave the critical section re-entered.
+
+The race is like this: For example, if the h_refcount is initialized as 1,
+
+cpu 0: cpu1
+-------------------------------------- -----------------------------------
+lock_buffer() /* test_and_set_bit */
+clear_buffer_locked(bh);
+ lock_buffer() /* test_and_set_bit */
+h_refcount = h_refcount+1; /* = 2*/ h_refcount = h_refcount + 1; /*= 2 */
+ clear_buffer_locked(bh);
+.... ......
+
+
+We lost a h_refcount here. We need a memory barrier before the buffer head
+lock bit being cleared to force the order of the two writes. Please apply.
+
+
+Signed-off-by: Nick Piggin <npiggin@suse.de>
+Cc: Mingming Cao <cmm@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/buffer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.20.1.orig/fs/buffer.c
++++ linux-2.6.20.1/fs/buffer.c
+@@ -78,6 +78,7 @@ EXPORT_SYMBOL(__lock_buffer);
+
+ void fastcall unlock_buffer(struct buffer_head *bh)
+ {
++ smp_mb__before_clear_bit();
+ clear_buffer_locked(bh);
+ smp_mb__after_clear_bit();
+ wake_up_bit(&bh->b_state, BH_Lock);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 12 00:53:56 2007
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Mon, 12 Feb 2007 00:52:30 -0800
+Subject: Char: specialix, isr have 2 params
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, jirislaby@gmail.com, stable@kernel.org
+Message-ID: <200702120852.l1C8qUKK026605@shell0.pdx.osdl.net>
+
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+specialix, isr have 2 params
+
+pt_regs are no longer the third parameter of isr, call sx_interrupt without
+it.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ drivers/char/specialix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/drivers/char/specialix.c
++++ linux-2.6.20.1/drivers/char/specialix.c
+@@ -459,7 +459,7 @@ void missed_irq (unsigned long data)
+ if (irq) {
+ printk (KERN_INFO "Missed interrupt... Calling int from timer. \n");
+ sx_interrupt (((struct specialix_board *)data)->irq,
+- (void*)data, NULL);
++ (void*)data);
+ }
+ missed_irq_timer.expires = jiffies + sx_poll;
+ add_timer (&missed_irq_timer);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Feb 8 14:22:30 2007
+From: Soeren Sonnenburg <kernel@nn7.de>
+Date: Thu, 08 Feb 2007 14:20:38 -0800
+Subject: enable mouse button 2+3 emulation for x86 macs
+To: torvalds@linux-foundation.org
+Cc: kernel@nn7.de, benh@kernel.crashing.org, paulus@samba.org, dtor@mail.ru, akpm@linux-foundation.org, stable@kernel.org
+Message-ID: <200702082220.l18MKd82028502@shell0.pdx.osdl.net>
+
+
+From: Soeren Sonnenburg <kernel@nn7.de>
+
+As macbook/macbook pro's also have to live with a single mouse button the
+following patch just enables the Macintosh device drivers menu in Kconfig +
+adds the macintosh dir to the obj-* to make macbook* users happy (who use
+exactly that since months....
+
+Signed-off-by: Soeren Sonnenburg <kernel@nn7.de>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/Makefile | 2 +-
+ drivers/macintosh/Kconfig | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.20.1.orig/drivers/Makefile
++++ linux-2.6.20.1/drivers/Makefile
+@@ -30,7 +30,7 @@ obj-$(CONFIG_PARPORT) += parport/
+ obj-y += base/ block/ misc/ mfd/ net/ media/
+ obj-$(CONFIG_NUBUS) += nubus/
+ obj-$(CONFIG_ATM) += atm/
+-obj-$(CONFIG_PPC_PMAC) += macintosh/
++obj-y += macintosh/
+ obj-$(CONFIG_IDE) += ide/
+ obj-$(CONFIG_FC4) += fc4/
+ obj-$(CONFIG_SCSI) += scsi/
+--- linux-2.6.20.1.orig/drivers/macintosh/Kconfig
++++ linux-2.6.20.1/drivers/macintosh/Kconfig
+@@ -1,6 +1,6 @@
+
+ menu "Macintosh device drivers"
+- depends on PPC || MAC
++ depends on PPC || MAC || X86
+
+ config ADB
+ bool "Apple Desktop Bus (ADB) support"
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 5 17:05:37 2007
+From: Zwane Mwaikambo <zwane@infradead.org>
+Date: Mon, 05 Feb 2007 16:45:06 -0800
+Subject: Fix MTRR compat ioctl
+To: ak@suse.de
+Cc: akpm@linux-foundation.org, stable@kernel.org, zwane@infradead.org
+Message-ID: <200702060046.l160k9n6005536@shell0.pdx.osdl.net>
+
+
+From: Zwane Mwaikambo <zwane@infradead.org>
+
+The MTRR compat code wasn't calling the lowlevel MTRR setup due to a switch
+block not handling the compat case.
+
+Before:
+(WW) I810(0): Failed to set up write-combining range (0xd0000000,0x10000000)
+
+After:
+reg00: base=0x00000000 ( 0MB), size=1024MB: write-back, count=1
+reg01: base=0x40000000 (1024MB), size= 512MB: write-back, count=1
+reg02: base=0x5f700000 (1527MB), size= 1MB: uncachable, count=1
+reg03: base=0x5f800000 (1528MB), size= 8MB: uncachable, count=1
+reg04: base=0xd0000000 (3328MB), size= 256MB: write-combining, count=1
+
+Signed-off-by: Zwane Mwaikambo <zwane@infradead.org>
+Cc: Andi Kleen <ak@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/cpu/mtrr/if.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+--- linux-2.6.20.1.orig/arch/i386/kernel/cpu/mtrr/if.c
++++ linux-2.6.20.1/arch/i386/kernel/cpu/mtrr/if.c
+@@ -158,8 +158,9 @@ mtrr_ioctl(struct file *file, unsigned i
+ struct mtrr_sentry sentry;
+ struct mtrr_gentry gentry;
+ void __user *arg = (void __user *) __arg;
++ unsigned int compat_cmd = cmd;
+
+- switch (cmd) {
++ switch (compat_cmd) {
+ case MTRRIOC_ADD_ENTRY:
+ case MTRRIOC_SET_ENTRY:
+ case MTRRIOC_DEL_ENTRY:
+@@ -177,14 +178,20 @@ mtrr_ioctl(struct file *file, unsigned i
+ return -EFAULT;
+ break;
+ #ifdef CONFIG_COMPAT
+- case MTRRIOC32_ADD_ENTRY:
+- case MTRRIOC32_SET_ENTRY:
+- case MTRRIOC32_DEL_ENTRY:
+- case MTRRIOC32_KILL_ENTRY:
+- case MTRRIOC32_ADD_PAGE_ENTRY:
+- case MTRRIOC32_SET_PAGE_ENTRY:
+- case MTRRIOC32_DEL_PAGE_ENTRY:
+- case MTRRIOC32_KILL_PAGE_ENTRY: {
++#define MTRR_COMPAT_OP(op, type)\
++ case MTRRIOC32_##op: \
++ cmd = MTRRIOC_##op; \
++ goto compat_get_##type
++
++ MTRR_COMPAT_OP(ADD_ENTRY, sentry);
++ MTRR_COMPAT_OP(SET_ENTRY, sentry);
++ MTRR_COMPAT_OP(DEL_ENTRY, sentry);
++ MTRR_COMPAT_OP(KILL_ENTRY, sentry);
++ MTRR_COMPAT_OP(ADD_PAGE_ENTRY, sentry);
++ MTRR_COMPAT_OP(SET_PAGE_ENTRY, sentry);
++ MTRR_COMPAT_OP(DEL_PAGE_ENTRY, sentry);
++ MTRR_COMPAT_OP(KILL_PAGE_ENTRY, sentry);
++compat_get_sentry: {
+ struct mtrr_sentry32 __user *s32 = (struct mtrr_sentry32 __user *)__arg;
+ err = get_user(sentry.base, &s32->base);
+ err |= get_user(sentry.size, &s32->size);
+@@ -193,8 +200,9 @@ mtrr_ioctl(struct file *file, unsigned i
+ return err;
+ break;
+ }
+- case MTRRIOC32_GET_ENTRY:
+- case MTRRIOC32_GET_PAGE_ENTRY: {
++ MTRR_COMPAT_OP(GET_ENTRY, gentry);
++ MTRR_COMPAT_OP(GET_PAGE_ENTRY, gentry);
++compat_get_gentry: {
+ struct mtrr_gentry32 __user *g32 = (struct mtrr_gentry32 __user *)__arg;
+ err = get_user(gentry.regnum, &g32->regnum);
+ err |= get_user(gentry.base, &g32->base);
+@@ -204,6 +212,7 @@ mtrr_ioctl(struct file *file, unsigned i
+ return err;
+ break;
+ }
++#undef MTRR_COMPAT_OP
+ #endif
+ }
+
+@@ -287,7 +296,7 @@ mtrr_ioctl(struct file *file, unsigned i
+ if (err)
+ return err;
+
+- switch(cmd) {
++ switch(compat_cmd) {
+ case MTRRIOC_GET_ENTRY:
+ case MTRRIOC_GET_PAGE_ENTRY:
+ if (copy_to_user(arg, &gentry, sizeof gentry))
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Feb 8 14:22:41 2007
+From: "Ken Chen" <kenchen@google.com>
+Date: Thu, 08 Feb 2007 14:20:27 -0800
+Subject: hugetlb: preserve hugetlb pte dirty state
+To: torvalds@linux-foundation.org
+Cc: nish.aravamudan@gmail.com, wli@holomorphy.com, kenchen@google.com, agl@us.ibm.com, hugh@veritas.com, akpm@linux-foundation.org, stable@kernel.org, david@gibson.dropbear.id.au
+Message-ID: <200702082220.l18MKRLR028479@shell0.pdx.osdl.net>
+
+
+From: "Ken Chen" <kenchen@google.com>
+
+__unmap_hugepage_range() is buggy that it does not preserve dirty state of
+huge_pte when unmapping hugepage range. It causes data corruption in the
+event of dop_caches being used by sys admin. For example, an application
+creates a hugetlb file, modify pages, then unmap it. While leaving the
+hugetlb file alive, comes along sys admin doing a "echo 3 >
+/proc/sys/vm/drop_caches".
+
+drop_pagecache_sb() will happily free all pages that aren't marked dirty if
+there are no active mapping. Later when application remaps the hugetlb
+file back and all data are gone, triggering catastrophic flip over on
+application.
+
+Not only that, the internal resv_huge_pages count will also get all messed
+up. Fix it up by marking page dirty appropriately.
+
+Signed-off-by: Ken Chen <kenchen@google.com>
+Cc: "Nish Aravamudan" <nish.aravamudan@gmail.com>
+Cc: Adam Litke <agl@us.ibm.com>
+Cc: David Gibson <david@gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli@holomorphy.com>
+Cc: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hugetlbfs/inode.c | 5 ++++-
+ mm/hugetlb.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/fs/hugetlbfs/inode.c
++++ linux-2.6.20.1/fs/hugetlbfs/inode.c
+@@ -449,10 +449,13 @@ static int hugetlbfs_symlink(struct inod
+ }
+
+ /*
+- * For direct-IO reads into hugetlb pages
++ * mark the head page dirty
+ */
+ static int hugetlbfs_set_page_dirty(struct page *page)
+ {
++ struct page *head = (struct page *)page_private(page);
++
++ SetPageDirty(head);
+ return 0;
+ }
+
+--- linux-2.6.20.1.orig/mm/hugetlb.c
++++ linux-2.6.20.1/mm/hugetlb.c
+@@ -389,6 +389,8 @@ void __unmap_hugepage_range(struct vm_ar
+ continue;
+
+ page = pte_page(pte);
++ if (pte_dirty(pte))
++ set_page_dirty(page);
+ list_add(&page->lru, &page_list);
+ }
+ spin_unlock(&mm->page_table_lock);
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 10 01:45:32 2007
+From: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+Date: Sat, 10 Feb 2007 01:43:43 -0800
+Subject: kernel/time/clocksource.c needs struct task_struct on m68k
+To: torvalds@linux-foundation.org
+Cc: mathieu.desnoyers@polymtl.ca, zippel@linux-m68k.org, stable@kernel.org, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu
+Message-ID: <200702100943.l1A9hhaO008570@shell0.pdx.osdl.net>
+
+
+From: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+
+kernel/time/clocksource.c needs struct task_struct on m68k.
+
+Because it uses spin_unlock_irq(), which, on m68k, uses hardirq_count(), which
+uses preempt_count(), which needs to dereference struct task_struct, we
+have to include sched.h. Because it would cause a loop inclusion, we
+cannot include sched.h in any other of asm-m68k/system.h,
+linux/thread_info.h, linux/hardirq.h, which leaves this ugly include in
+a C file as the only simple solution.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/clocksource.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.20.1.orig/kernel/time/clocksource.c
++++ linux-2.6.20.1/kernel/time/clocksource.c
+@@ -28,6 +28,7 @@
+ #include <linux/sysdev.h>
+ #include <linux/init.h>
+ #include <linux/module.h>
++#include <linux/sched.h> /* for spin_unlock_irq() using preempt_count() m68k */
+
+ /* XXX - Would like a better way for initializing curr_clocksource */
+ extern struct clocksource clocksource_jiffies;
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 5 16:22:39 2007
+From: Magnus Damm <magnus@valinux.co.jp>
+Date: Mon, 05 Feb 2007 16:20:09 -0800
+Subject: kexec: Fix CONFIG_SMP=n compilation V2 (ia64)
+To: tony.luck@intel.com
+Cc: linux-ia64@vger.kernel.org, jlan@sgi.com, magnus@valinux.co.jp, horms@verge.net.au, akpm@linux-foundation.org, stable@kernel.org
+Message-ID: <200702060021.l160LC1X004222@shell0.pdx.osdl.net>
+
+
+From: Magnus Damm <magnus@valinux.co.jp>
+
+Kexec support for 2.6.20 on ia64 does not build properly using a config
+made up by CONFIG_SMP=n and CONFIG_HOTPLUG_CPU=n:
+
+ CC arch/ia64/kernel/machine_kexec.o
+arch/ia64/kernel/machine_kexec.c: In function `machine_shutdown':
+arch/ia64/kernel/machine_kexec.c:77: warning: implicit declaration of function `cpu_down'
+ AS arch/ia64/kernel/relocate_kernel.o
+ CC arch/ia64/kernel/crash.o
+arch/ia64/kernel/crash.c: In function `kdump_cpu_freeze':
+arch/ia64/kernel/crash.c:139: warning: implicit declaration of function `ia64_jump_to_sal'
+arch/ia64/kernel/crash.c:139: error: `sal_boot_rendez_state' undeclared (first use in this function)
+arch/ia64/kernel/crash.c:139: error: (Each undeclared identifier is reported only once
+arch/ia64/kernel/crash.c:139: error: for each function it appears in.)
+arch/ia64/kernel/crash.c: At top level:
+arch/ia64/kernel/crash.c:84: warning: 'kdump_wait_cpu_freeze' defined but not used
+make[1]: *** [arch/ia64/kernel/crash.o] Error 1
+make: *** [arch/ia64/kernel] Error 2
+
+Signed-off-by: Magnus Damm <magnus@valinux.co.jp>
+Acked-by: Simon Horman <horms@verge.net.au>
+Acked-by: Jay Lan <jlan@sgi.com>
+Cc: "Luck, Tony" <tony.luck@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/ia64/kernel/crash.c | 11 +++++++----
+ arch/ia64/kernel/machine_kexec.c | 2 ++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- linux-2.6.20.1.orig/arch/ia64/kernel/crash.c
++++ linux-2.6.20.1/arch/ia64/kernel/crash.c
+@@ -79,6 +79,7 @@ crash_save_this_cpu()
+ final_note(buf);
+ }
+
++#ifdef CONFIG_SMP
+ static int
+ kdump_wait_cpu_freeze(void)
+ {
+@@ -91,6 +92,7 @@ kdump_wait_cpu_freeze(void)
+ }
+ return 1;
+ }
++#endif
+
+ void
+ machine_crash_shutdown(struct pt_regs *pt)
+@@ -132,11 +134,12 @@ kdump_cpu_freeze(struct unw_frame_info *
+ atomic_inc(&kdump_cpu_freezed);
+ kdump_status[cpuid] = 1;
+ mb();
+- if (cpuid == 0) {
+- for (;;)
+- cpu_relax();
+- } else
++#ifdef CONFIG_HOTPLUG_CPU
++ if (cpuid != 0)
+ ia64_jump_to_sal(&sal_boot_rendez_state[cpuid]);
++#endif
++ for (;;)
++ cpu_relax();
+ }
+
+ static int
+--- linux-2.6.20.1.orig/arch/ia64/kernel/machine_kexec.c
++++ linux-2.6.20.1/arch/ia64/kernel/machine_kexec.c
+@@ -70,12 +70,14 @@ void machine_kexec_cleanup(struct kimage
+
+ void machine_shutdown(void)
+ {
++#ifdef CONFIG_HOTPLUG_CPU
+ int cpu;
+
+ for_each_online_cpu(cpu) {
+ if (cpu != smp_processor_id())
+ cpu_down(cpu);
+ }
++#endif
+ kexec_disable_iosapic();
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 12 00:56:50 2007
+From: S.Caglar Onur <caglar@pardus.org.tr>
+Date: Mon, 12 Feb 2007 00:54:34 -0800
+Subject: kvm: Fix asm constraint for lldt instruction
+To: torvalds@linux-foundation.org
+Cc: caglar@pardus.org.tr, akpm@linux-foundation.org, mingo@elte.hu, avi@qumranet.com, stable@kernel.org
+Message-ID: <200702120854.l1C8sYVm027152@shell0.pdx.osdl.net>
+
+
+From: S.Caglar Onur <caglar@pardus.org.tr>
+
+lldt does not accept immediate operands, which "g" allows.
+
+Signed-off-by: S.Caglar Onur <caglar@pardus.org.tr>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/kvm/kvm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/drivers/kvm/kvm.h
++++ linux-2.6.20.1/drivers/kvm/kvm.h
+@@ -558,7 +558,7 @@ static inline void load_gs(u16 sel)
+ #ifndef load_ldt
+ static inline void load_ldt(u16 sel)
+ {
+- asm ("lldt %0" : : "g"(sel));
++ asm ("lldt %0" : : "rm"(sel));
+ }
+ #endif
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 12 00:54:10 2007
+Date: Mon, 12 Feb 2007 00:52:20 -0800
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Subject: lockdep: forward declare struct task_struct
+To: torvalds@linux-foundation.org
+Cc: schwidefsky@de.ibm.com, akpm@linux-foundation.org, heiko.carstens@de.ibm.com, mingo@elte.hu, stable@kernel.org
+Message-ID: <200702120852.l1C8qKJr026562@shell0.pdx.osdl.net>
+
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+3117df0453828bd045c16244e6f50e5714667a8a causes this:
+
+In file included from arch/s390/kernel/early.c:13:
+include/linux/lockdep.h:300: warning:
+ "struct task_struct" declared inside parameter list
+include/linux/lockdep.h:300:
+ warning: its scope is only this definition or
+ declaration, which is probably not what you want
+
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/lockdep.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.20.1.orig/include/linux/lockdep.h
++++ linux-2.6.20.1/include/linux/lockdep.h
+@@ -8,6 +8,8 @@
+ #ifndef __LINUX_LOCKDEP_H
+ #define __LINUX_LOCKDEP_H
+
++struct task_struct;
++
+ #ifdef CONFIG_LOCKDEP
+
+ #include <linux/linkage.h>
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 10 01:45:13 2007
+From: Hirokazu Takata <takata@linux-m32r.org>
+Date: Sat, 10 Feb 2007 01:43:35 -0800
+Subject: m32r: build fix for processors without ISA_DSP_LEVEL2
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, takata@linux-m32r.org, stable@kernel.org
+Message-ID: <200702100943.l1A9ha01008543@shell0.pdx.osdl.net>
+
+
+From: Hirokazu Takata <takata@linux-m32r.org>
+
+Additional fixes for processors without ISA_DSP_LEVEL2. sigcontext_t does not
+have dummy_acc1h, dummy_acc1l members any longer.
+
+Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/m32r/kernel/process.c | 2 +-
+ arch/m32r/kernel/signal.c | 26 ++++----------------------
+ 2 files changed, 5 insertions(+), 23 deletions(-)
+
+--- linux-2.6.20.1.orig/arch/m32r/kernel/process.c
++++ linux-2.6.20.1/arch/m32r/kernel/process.c
+@@ -174,7 +174,7 @@ void show_regs(struct pt_regs * regs)
+ regs->acc1h, regs->acc1l);
+ #elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R)
+ printk("ACCH[%08lx]:ACCL[%08lx]\n", \
+- regs->acch, regs->accl);
++ regs->acc0h, regs->acc0l);
+ #else
+ #error unknown isa configuration
+ #endif
+--- linux-2.6.20.1.orig/arch/m32r/kernel/signal.c
++++ linux-2.6.20.1/arch/m32r/kernel/signal.c
+@@ -109,19 +109,10 @@ restore_sigcontext(struct pt_regs *regs,
+ COPY(r10);
+ COPY(r11);
+ COPY(r12);
+-#if defined(CONFIG_ISA_M32R2) && defined(CONFIG_ISA_DSP_LEVEL2)
+ COPY(acc0h);
+ COPY(acc0l);
+- COPY(acc1h);
+- COPY(acc1l);
+-#elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R)
+- COPY(acch);
+- COPY(accl);
+- COPY(dummy_acc1h);
+- COPY(dummy_acc1l);
+-#else
+-#error unknown isa configuration
+-#endif
++ COPY(acc1h); /* ISA_DSP_LEVEL2 only */
++ COPY(acc1l); /* ISA_DSP_LEVEL2 only */
+ COPY(psw);
+ COPY(bpc);
+ COPY(bbpsw);
+@@ -196,19 +187,10 @@ setup_sigcontext(struct sigcontext __use
+ COPY(r10);
+ COPY(r11);
+ COPY(r12);
+-#if defined(CONFIG_ISA_M32R2) && defined(CONFIG_ISA_DSP_LEVEL2)
+ COPY(acc0h);
+ COPY(acc0l);
+- COPY(acc1h);
+- COPY(acc1l);
+-#elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R)
+- COPY(acch);
+- COPY(accl);
+- COPY(dummy_acc1h);
+- COPY(dummy_acc1l);
+-#else
+-#error unknown isa configuration
+-#endif
++ COPY(acc1h); /* ISA_DSP_LEVEL2 only */
++ COPY(acc1l); /* ISA_DSP_LEVEL2 only */
+ COPY(psw);
+ COPY(bpc);
+ COPY(bbpsw);
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 5 12:34:58 2007
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Mon, 05 Feb 2007 12:33:23 -0800
+Subject: NLM: Fix double free in __nlm_async_call
+To: stable@kernel.org
+Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com
+Message-ID: <200702052033.l15KXNCl030349@shell0.pdx.osdl.net>
+
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+rpc_call_async() will always call rpc_release_calldata(), so it is an
+error for __nlm_async_call() to do so as well.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Cc: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+Cc: Neil Brown <neilb@suse.de>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/lockd/clntproc.c | 9 +++------
+ fs/lockd/svclock.c | 4 +---
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+--- linux-2.6.20.1.orig/fs/lockd/clntproc.c
++++ linux-2.6.20.1/fs/lockd/clntproc.c
+@@ -361,7 +361,6 @@ static int __nlm_async_call(struct nlm_r
+ {
+ struct nlm_host *host = req->a_host;
+ struct rpc_clnt *clnt;
+- int status = -ENOLCK;
+
+ dprintk("lockd: call procedure %d on %s (async)\n",
+ (int)proc, host->h_name);
+@@ -373,12 +372,10 @@ static int __nlm_async_call(struct nlm_r
+ msg->rpc_proc = &clnt->cl_procinfo[proc];
+
+ /* bootstrap and kick off the async RPC call */
+- status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
+- if (status == 0)
+- return 0;
++ return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
+ out_err:
+- nlm_release_call(req);
+- return status;
++ tk_ops->rpc_release(req);
++ return -ENOLCK;
+ }
+
+ int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops)
+--- linux-2.6.20.1.orig/fs/lockd/svclock.c
++++ linux-2.6.20.1/fs/lockd/svclock.c
+@@ -593,9 +593,7 @@ callback:
+
+ /* Call the client */
+ kref_get(&block->b_count);
+- if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG,
+- &nlmsvc_grant_ops) < 0)
+- nlmsvc_release_block(block);
++ nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops);
+ }
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 5 12:34:58 2007
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Mon, 05 Feb 2007 12:33:22 -0800
+Subject: RPM: fix double free in portmapper code
+To: stable@kernel.org
+Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com
+Message-ID: <200702052033.l15KXMIU030346@shell0.pdx.osdl.net>
+
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+rpc_run_task is guaranteed to always call ->rpc_release.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Cc: Neil Brown <neilb@suse.de>
+Cc: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/sunrpc/pmap_clnt.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/net/sunrpc/pmap_clnt.c
++++ linux-2.6.20.1/net/sunrpc/pmap_clnt.c
+@@ -62,7 +62,10 @@ static inline void pmap_map_free(struct
+
+ static void pmap_map_release(void *data)
+ {
+- pmap_map_free(data);
++ struct portmap_args *map = data;
++
++ xprt_put(map->pm_xprt);
++ pmap_map_free(map);
+ }
+
+ static const struct rpc_call_ops pmap_getport_ops = {
+@@ -133,7 +136,7 @@ void rpc_getport(struct rpc_task *task)
+ status = -EIO;
+ child = rpc_run_task(pmap_clnt, RPC_TASK_ASYNC, &pmap_getport_ops, map);
+ if (IS_ERR(child))
+- goto bailout;
++ goto bailout_nofree;
+ rpc_put_task(child);
+
+ task->tk_xprt->stat.bind_count++;
+@@ -222,7 +225,6 @@ static void pmap_getport_done(struct rpc
+ child->tk_pid, status, map->pm_port);
+
+ pmap_wake_portmap_waiters(xprt, status);
+- xprt_put(xprt);
+ }
+
+ /**
usb-usbnet-driver-bugfix.patch
backport-of-psmouse-suspend-shutdown-cleanups.patch
revert-log2-alter-get_order-so-that-it-can-make-use-of-ilog2-on-a-constant.patch
+rpm-fix-double-free-in-portmapper-code.patch
+nlm-fix-double-free-in-__nlm_async_call.patch
+kexec-fix-config_smp-n-compilation-v2.patch
+fix-mtrr-compat-ioctl.patch
+ufs-restore-back-support-of-openstep.patch
+v9fs_vfs_mkdir-fix-a-double-free.patch
+enable-mouse-button-2-3-emulation-for-x86-macs.patch
+hugetlb-preserve-hugetlb-pte-dirty-state.patch
+m32r-build-fix-for-processors-without-isa_dsp_level2.patch
+kernel-time-clocksource.c-needs-struct-task_struct-on-m68k.patch
+buffer-memorder-fix.patch
+char-specialix-isr-have-2-params.patch
+lockdep-forward-declare-struct-task_struct.patch
+kvm-fix-asm-constraint-for-lldt-instruction.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Feb 8 14:21:58 2007
+From: Evgeniy Dushistov <dushistov@mail.ru>
+Date: Thu, 08 Feb 2007 14:20:25 -0800
+Subject: ufs: restore back support of openstep
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, dushistov@mail.ru, stable@kernel.org
+Message-ID: <200702082220.l18MKQcn028473@shell0.pdx.osdl.net>
+
+
+From: Evgeniy Dushistov <dushistov@mail.ru>
+
+This is a fix of regression, which triggered by ~2.6.16.
+
+Patch with name ufs-directory-and-page-cache-from-blocks-to-pages.patch: in
+additional to conversation from block to page cache mechanism added new
+checks of directory integrity, one of them that directory entry do not
+across directory chunks.
+
+But some kinds of UFS: OpenStep UFS and Apple UFS (looks like these are the
+same filesystems) have different directory chunk size, then common
+UFSes(BSD and Solaris UFS).
+
+So this patch adds ability to works with variable size of directory chunks,
+and set it for ufstype=openstep to right size.
+
+Tested on darwin ufs.
+
+Signed-off-by: Evgeniy Dushistov <dushistov@mail.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ufs/dir.c | 21 ++++++++++++---------
+ fs/ufs/super.c | 5 ++++-
+ include/linux/ufs_fs.h | 1 +
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+--- linux-2.6.20.1.orig/fs/ufs/dir.c
++++ linux-2.6.20.1/fs/ufs/dir.c
+@@ -106,12 +106,13 @@ static void ufs_check_page(struct page *
+ char *kaddr = page_address(page);
+ unsigned offs, rec_len;
+ unsigned limit = PAGE_CACHE_SIZE;
++ const unsigned chunk_mask = UFS_SB(sb)->s_uspi->s_dirblksize - 1;
+ struct ufs_dir_entry *p;
+ char *error;
+
+ if ((dir->i_size >> PAGE_CACHE_SHIFT) == page->index) {
+ limit = dir->i_size & ~PAGE_CACHE_MASK;
+- if (limit & (UFS_SECTOR_SIZE - 1))
++ if (limit & chunk_mask)
+ goto Ebadsize;
+ if (!limit)
+ goto out;
+@@ -126,7 +127,7 @@ static void ufs_check_page(struct page *
+ goto Ealign;
+ if (rec_len < UFS_DIR_REC_LEN(ufs_get_de_namlen(sb, p)))
+ goto Enamelen;
+- if (((offs + rec_len - 1) ^ offs) & ~(UFS_SECTOR_SIZE-1))
++ if (((offs + rec_len - 1) ^ offs) & ~chunk_mask)
+ goto Espan;
+ if (fs32_to_cpu(sb, p->d_ino) > (UFS_SB(sb)->s_uspi->s_ipg *
+ UFS_SB(sb)->s_uspi->s_ncg))
+@@ -310,6 +311,7 @@ int ufs_add_link(struct dentry *dentry,
+ int namelen = dentry->d_name.len;
+ struct super_block *sb = dir->i_sb;
+ unsigned reclen = UFS_DIR_REC_LEN(namelen);
++ const unsigned int chunk_size = UFS_SB(sb)->s_uspi->s_dirblksize;
+ unsigned short rec_len, name_len;
+ struct page *page = NULL;
+ struct ufs_dir_entry *de;
+@@ -342,8 +344,8 @@ int ufs_add_link(struct dentry *dentry,
+ if ((char *)de == dir_end) {
+ /* We hit i_size */
+ name_len = 0;
+- rec_len = UFS_SECTOR_SIZE;
+- de->d_reclen = cpu_to_fs16(sb, UFS_SECTOR_SIZE);
++ rec_len = chunk_size;
++ de->d_reclen = cpu_to_fs16(sb, chunk_size);
+ de->d_ino = 0;
+ goto got_it;
+ }
+@@ -431,7 +433,7 @@ ufs_readdir(struct file *filp, void *dir
+ unsigned int offset = pos & ~PAGE_CACHE_MASK;
+ unsigned long n = pos >> PAGE_CACHE_SHIFT;
+ unsigned long npages = ufs_dir_pages(inode);
+- unsigned chunk_mask = ~(UFS_SECTOR_SIZE - 1);
++ unsigned chunk_mask = ~(UFS_SB(sb)->s_uspi->s_dirblksize - 1);
+ int need_revalidate = filp->f_version != inode->i_version;
+ unsigned flags = UFS_SB(sb)->s_flags;
+
+@@ -511,7 +513,7 @@ int ufs_delete_entry(struct inode *inode
+ struct super_block *sb = inode->i_sb;
+ struct address_space *mapping = page->mapping;
+ char *kaddr = page_address(page);
+- unsigned from = ((char*)dir - kaddr) & ~(UFS_SECTOR_SIZE - 1);
++ unsigned from = ((char*)dir - kaddr) & ~(UFS_SB(sb)->s_uspi->s_dirblksize - 1);
+ unsigned to = ((char*)dir - kaddr) + fs16_to_cpu(sb, dir->d_reclen);
+ struct ufs_dir_entry *pde = NULL;
+ struct ufs_dir_entry *de = (struct ufs_dir_entry *) (kaddr + from);
+@@ -556,6 +558,7 @@ int ufs_make_empty(struct inode * inode,
+ struct super_block * sb = dir->i_sb;
+ struct address_space *mapping = inode->i_mapping;
+ struct page *page = grab_cache_page(mapping, 0);
++ const unsigned int chunk_size = UFS_SB(sb)->s_uspi->s_dirblksize;
+ struct ufs_dir_entry * de;
+ char *base;
+ int err;
+@@ -563,7 +566,7 @@ int ufs_make_empty(struct inode * inode,
+ if (!page)
+ return -ENOMEM;
+ kmap(page);
+- err = mapping->a_ops->prepare_write(NULL, page, 0, UFS_SECTOR_SIZE);
++ err = mapping->a_ops->prepare_write(NULL, page, 0, chunk_size);
+ if (err) {
+ unlock_page(page);
+ goto fail;
+@@ -584,11 +587,11 @@ int ufs_make_empty(struct inode * inode,
+ ((char *)de + fs16_to_cpu(sb, de->d_reclen));
+ de->d_ino = cpu_to_fs32(sb, dir->i_ino);
+ ufs_set_de_type(sb, de, dir->i_mode);
+- de->d_reclen = cpu_to_fs16(sb, UFS_SECTOR_SIZE - UFS_DIR_REC_LEN(1));
++ de->d_reclen = cpu_to_fs16(sb, chunk_size - UFS_DIR_REC_LEN(1));
+ ufs_set_de_namlen(sb, de, 2);
+ strcpy (de->d_name, "..");
+
+- err = ufs_commit_chunk(page, 0, UFS_SECTOR_SIZE);
++ err = ufs_commit_chunk(page, 0, chunk_size);
+ fail:
+ kunmap(page);
+ page_cache_release(page);
+--- linux-2.6.20.1.orig/fs/ufs/super.c
++++ linux-2.6.20.1/fs/ufs/super.c
+@@ -649,7 +649,7 @@ static int ufs_fill_super(struct super_b
+ kmalloc (sizeof(struct ufs_sb_private_info), GFP_KERNEL);
+ if (!uspi)
+ goto failed;
+-
++ uspi->s_dirblksize = UFS_SECTOR_SIZE;
+ super_block_offset=UFS_SBLOCK;
+
+ /* Keep 2Gig file limit. Some UFS variants need to override
+@@ -718,6 +718,7 @@ static int ufs_fill_super(struct super_b
+ break;
+
+ case UFS_MOUNT_UFSTYPE_NEXTSTEP:
++ /*TODO: check may be we need set special dir block size?*/
+ UFSD("ufstype=nextstep\n");
+ uspi->s_fsize = block_size = 1024;
+ uspi->s_fmask = ~(1024 - 1);
+@@ -733,6 +734,7 @@ static int ufs_fill_super(struct super_b
+ break;
+
+ case UFS_MOUNT_UFSTYPE_NEXTSTEP_CD:
++ /*TODO: check may be we need set special dir block size?*/
+ UFSD("ufstype=nextstep-cd\n");
+ uspi->s_fsize = block_size = 2048;
+ uspi->s_fmask = ~(2048 - 1);
+@@ -754,6 +756,7 @@ static int ufs_fill_super(struct super_b
+ uspi->s_fshift = 10;
+ uspi->s_sbsize = super_block_size = 2048;
+ uspi->s_sbbase = 0;
++ uspi->s_dirblksize = 1024;
+ flags |= UFS_DE_44BSD | UFS_UID_44BSD | UFS_ST_44BSD | UFS_CG_44BSD;
+ if (!(sb->s_flags & MS_RDONLY)) {
+ if (!silent)
+--- linux-2.6.20.1.orig/include/linux/ufs_fs.h
++++ linux-2.6.20.1/include/linux/ufs_fs.h
+@@ -789,6 +789,7 @@ struct ufs_sb_private_info {
+
+ __u32 s_maxsymlinklen;/* upper limit on fast symlinks' size */
+ __s32 fs_magic; /* filesystem magic */
++ unsigned int s_dirblksize;
+ };
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Feb 8 14:22:20 2007
+From: Adrian Bunk <bunk@stusta.de>
+Date: Thu, 08 Feb 2007 14:20:38 -0800
+Subject: v9fs_vfs_mkdir(): fix a double free
+To: torvalds@linux-foundation.org
+Cc: ericvh@gmail.com, akpm@linux-foundation.org, stable@kernel.org, bunk@stusta.de
+Message-ID: <200702082220.l18MKcCN028498@shell0.pdx.osdl.net>
+
+
+From: Adrian Bunk <bunk@stusta.de>
+
+Fix a double free of "dfid" introduced by commit
+da977b2c7eb4d6312f063a7b486f2aad99809710 and spotted by the Coverity
+checker.
+
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+ fs/9p/vfs_inode.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- linux-2.6.20.1.orig/fs/9p/vfs_inode.c
++++ linux-2.6.20.1/fs/9p/vfs_inode.c
+@@ -585,17 +585,14 @@ static int v9fs_vfs_mkdir(struct inode *
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
+ inode = NULL;
+- goto clean_up_fids;
++ v9fs_fid_destroy(vfid);
++ goto error;
+ }
+
+ dentry->d_op = &v9fs_dentry_operations;
+ d_instantiate(dentry, inode);
+ return 0;
+
+-clean_up_fids:
+- if (vfid)
+- v9fs_fid_destroy(vfid);
+-
+ clean_up_dfid:
+ v9fs_fid_clunk(v9ses, dfid);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
