.30 bugfixes

diff --git a/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch b/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch
new file mode 100644 (file)
index 0000000..0ff7afd
--- /dev/null
+++ b/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch
@@ -0,0 +1,42 @@
+From 69130c7cf96ea853dc5be599dd6a4b98907d39cc Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 6 Aug 2009 15:07:37 -0700
+Subject: compat_ioctl: hook up compat handler for FIEMAP ioctl
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 69130c7cf96ea853dc5be599dd6a4b98907d39cc upstream.
+
+The FIEMAP_IOC_FIEMAP mapping ioctl was missing a 32-bit compat handler,
+which means that 32-bit suerspace on 64-bit kernels cannot use this ioctl
+command.
+
+The structure is nicely aligned, padded, and sized, so it is just this
+simple.
+
+Tested w/ 32-bit ioctl tester (from Josef) on a 64-bit kernel on ext4.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: <linux-ext4@vger.kernel.org>
+Cc: Mark Lord <lkml@rtr.ca>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Josef Bacik <josef@redhat.com>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/compat_ioctl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -1915,6 +1915,7 @@ COMPATIBLE_IOCTL(FIONCLEX)
+ COMPATIBLE_IOCTL(FIOASYNC)
+ COMPATIBLE_IOCTL(FIONBIO)
+ COMPATIBLE_IOCTL(FIONREAD)  /* This is also TIOCINQ */
++COMPATIBLE_IOCTL(FS_IOC_FIEMAP)
+ /* 0x00 */
+ COMPATIBLE_IOCTL(FIBMAP)
+ COMPATIBLE_IOCTL(FIGETBSZ)

diff --git a/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch b/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch
new file mode 100644 (file)
index 0000000..ff363fc
--- /dev/null
+++ b/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch
@@ -0,0 +1,126 @@
+From 9c8a8228d0827e0d91d28527209988f672f97d28 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 15:09:28 -0700
+Subject: execve: must clear current->clear_child_tid
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 9c8a8228d0827e0d91d28527209988f672f97d28 upstream.
+
+While looking at Jens Rosenboom bug report
+(http://lkml.org/lkml/2009/7/27/35) about strange sys_futex call done from
+a dying "ps" program, we found following problem.
+
+clone() syscall has special support for TID of created threads.  This
+support includes two features.
+
+One (CLONE_CHILD_SETTID) is to set an integer into user memory with the
+TID value.
+
+One (CLONE_CHILD_CLEARTID) is to clear this same integer once the created
+thread dies.
+
+The integer location is a user provided pointer, provided at clone()
+time.
+
+kernel keeps this pointer value into current->clear_child_tid.
+
+At execve() time, we should make sure kernel doesnt keep this user
+provided pointer, as full user memory is replaced by a new one.
+
+As glibc fork() actually uses clone() syscall with CLONE_CHILD_SETTID and
+CLONE_CHILD_CLEARTID set, chances are high that we might corrupt user
+memory in forked processes.
+
+Following sequence could happen:
+
+1) bash (or any program) starts a new process, by a fork() call that
+   glibc maps to a clone( ...  CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID
+   ...) syscall
+
+2) When new process starts, its current->clear_child_tid is set to a
+   location that has a meaning only in bash (or initial program) context
+   (&THREAD_SELF->tid)
+
+3) This new process does the execve() syscall to start a new program.
+   current->clear_child_tid is left unchanged (a non NULL value)
+
+4) If this new program creates some threads, and initial thread exits,
+   kernel will attempt to clear the integer pointed by
+   current->clear_child_tid from mm_release() :
+
+        if (tsk->clear_child_tid
+            && !(tsk->flags & PF_SIGNALED)
+            && atomic_read(&mm->mm_users) > 1) {
+                u32 __user * tidptr = tsk->clear_child_tid;
+                tsk->clear_child_tid = NULL;
+
+                /*
+                 * We don't check the error code - if userspace has
+                 * not set up a proper pointer then tough luck.
+                 */
+<< here >>      put_user(0, tidptr);
+                sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
+        }
+
+5) OR : if new program is not multi-threaded, but spied by /proc/pid
+   users (ps command for example), mm_users > 1, and the exiting program
+   could corrupt 4 bytes in a persistent memory area (shm or memory mapped
+   file)
+
+If current->clear_child_tid points to a writeable portion of memory of the
+new program, kernel happily and silently corrupts 4 bytes of memory, with
+unexpected effects.
+
+Fix is straightforward and should not break any sane program.
+
+Reported-by: Jens Rosenboom <jens@mcbone.net>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sonny Rao <sonnyrao@us.ibm.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ulrich Drepper <drepper@redhat.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/fork.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -568,18 +568,18 @@ void mm_release(struct task_struct *tsk,
+        * the value intact in a core dump, and to save the unnecessary
+        * trouble otherwise.  Userland only wants this done for a sys_exit.
+        */
+-      if (tsk->clear_child_tid
+-          && !(tsk->flags & PF_SIGNALED)
+-          && atomic_read(&mm->mm_users) > 1) {
+-              u32 __user * tidptr = tsk->clear_child_tid;
++      if (tsk->clear_child_tid) {
++              if (!(tsk->flags & PF_SIGNALED) &&
++                  atomic_read(&mm->mm_users) > 1) {
++                      /*
++                       * We don't check the error code - if userspace has
++                       * not set up a proper pointer then tough luck.
++                       */
++                      put_user(0, tsk->clear_child_tid);
++                      sys_futex(tsk->clear_child_tid, FUTEX_WAKE,
++                                      1, NULL, NULL, 0);
++              }
+               tsk->clear_child_tid = NULL;
+-
+-              /*
+-               * We don't check the error code - if userspace has
+-               * not set up a proper pointer then tough luck.
+-               */
+-              put_user(0, tidptr);
+-              sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
+       }
+ }
+ 

diff --git a/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch b/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch
new file mode 100644 (file)
index 0000000..f20e2f0
--- /dev/null
+++ b/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch
@@ -0,0 +1,54 @@
+From 3440625d78711bee41a84cf29c3d8c579b522666 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 6 Aug 2009 15:09:34 -0700
+Subject: flat: fix uninitialized ptr with shared libs
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3440625d78711bee41a84cf29c3d8c579b522666 upstream.
+
+The new credentials code broke load_flat_shared_library() as it now uses
+an uninitialized cred pointer.
+
+Reported-by: Bernd Schmidt <bernds_cb1@t-online.de>
+Tested-by: Bernd Schmidt <bernds_cb1@t-online.de>
+Cc: Mike Frysinger <vapier@gentoo.org>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/binfmt_flat.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -828,15 +828,22 @@ static int load_flat_shared_library(int 
+       if (IS_ERR(bprm.file))
+               return res;
+ 
++      bprm.cred = prepare_exec_creds();
++      res = -ENOMEM;
++      if (!bprm.cred)
++              goto out;
++
+       res = prepare_binprm(&bprm);
+ 
+       if (res <= (unsigned long)-4096)
+               res = load_flat_file(&bprm, libs, id, NULL);
+-      if (bprm.file) {
+-              allow_write_access(bprm.file);
+-              fput(bprm.file);
+-              bprm.file = NULL;
+-      }
++
++      abort_creds(bprm.cred);
++
++out:
++      allow_write_access(bprm.file);
++      fput(bprm.file);
++
+       return(res);
+ }
+ 

diff --git a/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch b/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch
new file mode 100644 (file)
index 0000000..da9177b
--- /dev/null
+++ b/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch
@@ -0,0 +1,42 @@
+From 69dd647f969c28d18de77e2153f30d05a1874571 Mon Sep 17 00:00:00 2001
+From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Date: Thu, 6 Aug 2009 15:07:29 -0700
+Subject: generic-ipi: fix hotplug_cfd()
+
+From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+
+commit 69dd647f969c28d18de77e2153f30d05a1874571 upstream.
+
+Use CONFIG_HOTPLUG_CPU, not CONFIG_CPU_HOTPLUG
+
+When hot-unpluging a cpu, it will leak memory allocated at cpu hotplug,
+but only if CPUMASK_OFFSTACK=y, which is default to n.
+
+The bug was introduced by 8969a5ede0f9e17da4b943712429aef2c9bcd82b
+("generic-ipi: remove kmalloc()").
+
+Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Nick Piggin <nickpiggin@yahoo.com.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/smp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -57,7 +57,7 @@ hotplug_cfd(struct notifier_block *nfb, 
+                       return NOTIFY_BAD;
+               break;
+ 
+-#ifdef CONFIG_CPU_HOTPLUG
++#ifdef CONFIG_HOTPLUG_CPU
+       case CPU_UP_CANCELED:
+       case CPU_UP_CANCELED_FROZEN:
+ 

diff --git a/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch b/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch
new file mode 100644 (file)
index 0000000..1f4d77e
--- /dev/null
+++ b/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch
@@ -0,0 +1,31 @@
+From bd3f02212d6a457267e0c9c02c426151c436d9d4 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Fri, 7 Aug 2009 12:49:29 +0200
+Subject: ring-buffer: Fix memleak in ring_buffer_free()
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit bd3f02212d6a457267e0c9c02c426151c436d9d4 upstream.
+
+I noticed oprofile memleaked in linux-2.6 current tree,
+and tracked this ring-buffer leak.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+LKML-Reference: <4A7C06B9.2090302@gmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/trace/ring_buffer.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -695,6 +695,7 @@ ring_buffer_free(struct ring_buffer *buf
+ 
+       put_online_cpus();
+ 
++      kfree(buffer->buffers);
+       free_cpumask_var(buffer->cpumask);
+ 
+       kfree(buffer);

diff --git a/queue-2.6.30/series b/queue-2.6.30/series
index 333ed067d009ec4d026f6d0a781a219fa36f370a..2f304d132cc1b9e7d55b49b805e3406c2f45c863 100644 (file)
--- a/queue-2.6.30/series
+++ b/queue-2.6.30/series
@@ -52,3 +52,15 @@ atl1c-wake_mcast-tested-twice-not-wake_ucast.patch
 atl1c-add-missing-parentheses.patch
 atl1c-misplaced-parenthesis.patch
 md-handle-growth-of-v1.x-metadata-correctly.patch
+execve-must-clear-current-clear_child_tid.patch
+flat-fix-uninitialized-ptr-with-shared-libs.patch
+compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch
+generic-ipi-fix-hotplug_cfd.patch
+staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch
+usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch
+usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch
+usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch
+usb-usbfs-fix-enoent-error-code-to-be-enodev.patch
+usb-devio-properly-do-access_ok-checks.patch
+ring-buffer-fix-memleak-in-ring_buffer_free.patch
+x86-fix-vmi-stack-protector.patch

diff --git a/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch b/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch
new file mode 100644 (file)
index 0000000..e148a8b
--- /dev/null
+++ b/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch
@@ -0,0 +1,329 @@
+From 2c63abf9e8a51dec886da482dfd8ae752581a61c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Fri, 31 Jul 2009 07:14:04 +0200
+Subject: Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit 2c63abf9e8a51dec886da482dfd8ae752581a61c upstream.
+
+[Mike Galbraith did the upstream revert, which was more complex]
+
+Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API
+
+The sanity check this patch introduced triggers on shutdown, apparently due to
+threads having already exited by the time BUG_ON() is reached.
+
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Teoh <htmldeveloper@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/staging/rt2870/2870_main_dev.c         |   67 ++++++++++++++++---------
+ drivers/staging/rt2870/common/2870_rtmp_init.c |   35 +++++--------
+ drivers/staging/rt2870/common/cmm_data.c       |    3 +
+ drivers/staging/rt2870/common/rtmp_init.c      |    2 
+ drivers/staging/rt2870/common/rtusb_io.c       |    3 -
+ drivers/staging/rt2870/rt2870.h                |    6 --
+ drivers/staging/rt2870/rt_linux.h              |   11 ++--
+ 7 files changed, 74 insertions(+), 53 deletions(-)
+
+--- a/drivers/staging/rt2870/2870_main_dev.c
++++ b/drivers/staging/rt2870/2870_main_dev.c
+@@ -265,7 +265,7 @@ INT MlmeThread(
+        */
+       DBGPRINT(RT_DEBUG_TRACE,( "<---%s\n",__func__));
+ 
+-      pObj->MLMEThr_task = NULL;
++      pObj->MLMEThr_pid = THREAD_PID_INIT_VALUE;
+ 
+       complete_and_exit (&pAd->mlmeComplete, 0);
+       return 0;
+@@ -373,7 +373,7 @@ INT RTUSBCmdThread(
+        */
+       DBGPRINT(RT_DEBUG_TRACE,( "<---RTUSBCmdThread\n"));
+ 
+-      pObj->RTUSBCmdThr_task = NULL;
++      pObj->RTUSBCmdThr_pid = THREAD_PID_INIT_VALUE;
+ 
+       complete_and_exit (&pAd->CmdQComplete, 0);
+       return 0;
+@@ -467,7 +467,7 @@ INT TimerQThread(
+        */
+       DBGPRINT(RT_DEBUG_TRACE,( "<---%s\n",__func__));
+ 
+-      pObj->TimerQThr_task = NULL;
++      pObj->TimerQThr_pid = THREAD_PID_INIT_VALUE;
+ 
+       complete_and_exit(&pAd->TimerQComplete, 0);
+       return 0;
+@@ -944,46 +944,69 @@ VOID RT28xxThreadTerminate(
+       RTUSBCancelPendingIRPs(pAd);
+ 
+       // Terminate Threads
+-      BUG_ON(pObj->TimerQThr_task == NULL);
+-      CHECK_PID_LEGALITY(task_pid(pObj->TimerQThr_task))
++      CHECK_PID_LEGALITY(pObj->TimerQThr_pid)
+       {
+               POS_COOKIE pObj = (POS_COOKIE)pAd->OS_Cookie;
+ 
+-              printk(KERN_DEBUG "Terminate the TimerQThr pid=%d!\n",
+-                      pid_nr(task_pid(pObj->TimerQThr_task)));
++              printk("Terminate the TimerQThr_pid=%d!\n", GET_PID_NUMBER(pObj->TimerQThr_pid));
+               mb();
+               pAd->TimerFunc_kill = 1;
+               mb();
+-              kthread_stop(pObj->TimerQThr_task);
+-              pObj->TimerQThr_task = NULL;
++              ret = KILL_THREAD_PID(pObj->TimerQThr_pid, SIGTERM, 1);
++              if (ret)
++              {
++                      printk(KERN_WARNING "%s: unable to stop TimerQThread, pid=%d, ret=%d!\n",
++                                      pAd->net_dev->name, GET_PID_NUMBER(pObj->TimerQThr_pid), ret);
++              }
++              else
++              {
++                      wait_for_completion(&pAd->TimerQComplete);
++                      pObj->TimerQThr_pid = THREAD_PID_INIT_VALUE;
++              }
+       }
+ 
+-      BUG_ON(pObj->MLMEThr_task == NULL);
+-      CHECK_PID_LEGALITY(task_pid(pObj->MLMEThr_task))
++      CHECK_PID_LEGALITY(pObj->MLMEThr_pid)
+       {
+-              printk(KERN_DEBUG "Terminate the MLMEThr pid=%d!\n",
+-                      pid_nr(task_pid(pObj->MLMEThr_task)));
++              printk("Terminate the MLMEThr_pid=%d!\n", GET_PID_NUMBER(pObj->MLMEThr_pid));
+               mb();
+               pAd->mlme_kill = 1;
+               //RT28XX_MLME_HANDLER(pAd);
+               mb();
+-              kthread_stop(pObj->MLMEThr_task);
+-              pObj->MLMEThr_task = NULL;
++              ret = KILL_THREAD_PID(pObj->MLMEThr_pid, SIGTERM, 1);
++              if (ret)
++              {
++                      printk (KERN_WARNING "%s: unable to Mlme thread, pid=%d, ret=%d!\n",
++                                      pAd->net_dev->name, GET_PID_NUMBER(pObj->MLMEThr_pid), ret);
++              }
++              else
++              {
++                      //wait_for_completion (&pAd->notify);
++                      wait_for_completion (&pAd->mlmeComplete);
++                      pObj->MLMEThr_pid = THREAD_PID_INIT_VALUE;
++              }
+       }
+ 
+-      BUG_ON(pObj->RTUSBCmdThr_task == NULL);
+-      CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task))
++      CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid)
+       {
+-              printk(KERN_DEBUG "Terminate the RTUSBCmdThr pid=%d!\n",
+-                      pid_nr(task_pid(pObj->RTUSBCmdThr_task)));
++              printk("Terminate the RTUSBCmdThr_pid=%d!\n", GET_PID_NUMBER(pObj->RTUSBCmdThr_pid));
+               mb();
+               NdisAcquireSpinLock(&pAd->CmdQLock);
+               pAd->CmdQ.CmdQState = RT2870_THREAD_STOPED;
+               NdisReleaseSpinLock(&pAd->CmdQLock);
+               mb();
+               //RTUSBCMDUp(pAd);
+-              kthread_stop(pObj->RTUSBCmdThr_task);
+-              pObj->RTUSBCmdThr_task = NULL;
++              ret = KILL_THREAD_PID(pObj->RTUSBCmdThr_pid, SIGTERM, 1);
++              if (ret)
++              {
++                      printk(KERN_WARNING "%s: unable to RTUSBCmd thread, pid=%d, ret=%d!\n",
++                                      pAd->net_dev->name, GET_PID_NUMBER(pObj->RTUSBCmdThr_pid), ret);
++              }
++              else
++              {
++                      //wait_for_completion (&pAd->notify);
++                      wait_for_completion (&pAd->CmdQComplete);
++                      pObj->RTUSBCmdThr_pid = THREAD_PID_INIT_VALUE;
++      }
+       }
+ 
+ 
+@@ -1044,7 +1067,7 @@ BOOLEAN RT28XXChipsetCheck(
+               if (dev_p->descriptor.idVendor == rtusb_usb_id[i].idVendor &&
+                       dev_p->descriptor.idProduct == rtusb_usb_id[i].idProduct)
+               {
+-                      printk(KERN_DEBUG "rt2870: idVendor = 0x%x, idProduct = 0x%x\n",
++                      printk("rt2870: idVendor = 0x%x, idProduct = 0x%x\n",
+                                       dev_p->descriptor.idVendor, dev_p->descriptor.idProduct);
+                       break;
+               }
+--- a/drivers/staging/rt2870/common/2870_rtmp_init.c
++++ b/drivers/staging/rt2870/common/2870_rtmp_init.c
+@@ -727,8 +727,8 @@ NDIS_STATUS AdapterBlockAllocateMemory(
+ 
+       usb_dev = pObj->pUsb_Dev;
+ 
+-      pObj->MLMEThr_task              = NULL;
+-      pObj->RTUSBCmdThr_task  = NULL;
++      pObj->MLMEThr_pid               = THREAD_PID_INIT_VALUE;
++      pObj->RTUSBCmdThr_pid   = THREAD_PID_INIT_VALUE;
+ 
+       *ppAd = (PVOID)vmalloc(sizeof(RTMP_ADAPTER));
+ 
+@@ -765,7 +765,7 @@ NDIS_STATUS         CreateThreads(
+ {
+       PRTMP_ADAPTER pAd = net_dev->ml_priv;
+       POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie;
+-      struct task_struct *tsk;
++      pid_t pid_number = -1;
+ 
+       //init_MUTEX(&(pAd->usbdev_semaphore));
+ 
+@@ -779,39 +779,36 @@ NDIS_STATUS       CreateThreads(
+       init_completion (&pAd->TimerQComplete);
+ 
+       // Creat MLME Thread
+-      pObj->MLMEThr_task = NULL;
+-      tsk = kthread_run(MlmeThread, pAd, pAd->net_dev->name);
+-
+-      if (IS_ERR(tsk)) {
++      pObj->MLMEThr_pid= THREAD_PID_INIT_VALUE;
++      pid_number = kernel_thread(MlmeThread, pAd, CLONE_VM);
++      if (pid_number < 0)
++      {
+               printk (KERN_WARNING "%s: unable to start Mlme thread\n",pAd->net_dev->name);
+               return NDIS_STATUS_FAILURE;
+       }
+-
+-      pObj->MLMEThr_task = tsk;
++      pObj->MLMEThr_pid = GET_PID(pid_number);
+       // Wait for the thread to start
+       wait_for_completion(&(pAd->mlmeComplete));
+ 
+       // Creat Command Thread
+-      pObj->RTUSBCmdThr_task = NULL;
+-      tsk = kthread_run(RTUSBCmdThread, pAd, pAd->net_dev->name);
+-
+-      if (IS_ERR(tsk) < 0)
++      pObj->RTUSBCmdThr_pid= THREAD_PID_INIT_VALUE;
++      pid_number = kernel_thread(RTUSBCmdThread, pAd, CLONE_VM);
++      if (pid_number < 0)
+       {
+               printk (KERN_WARNING "%s: unable to start RTUSBCmd thread\n",pAd->net_dev->name);
+               return NDIS_STATUS_FAILURE;
+       }
+-
+-      pObj->RTUSBCmdThr_task = tsk;
++      pObj->RTUSBCmdThr_pid = GET_PID(pid_number);
+       wait_for_completion(&(pAd->CmdQComplete));
+ 
+-      pObj->TimerQThr_task = NULL;
+-      tsk = kthread_run(TimerQThread, pAd, pAd->net_dev->name);
+-      if (IS_ERR(tsk) < 0)
++      pObj->TimerQThr_pid= THREAD_PID_INIT_VALUE;
++      pid_number = kernel_thread(TimerQThread, pAd, CLONE_VM);
++      if (pid_number < 0)
+       {
+               printk (KERN_WARNING "%s: unable to start TimerQThread\n",pAd->net_dev->name);
+               return NDIS_STATUS_FAILURE;
+       }
+-      pObj->TimerQThr_task = tsk;
++      pObj->TimerQThr_pid = GET_PID(pid_number);
+       // Wait for the thread to start
+       wait_for_completion(&(pAd->TimerQComplete));
+ 
+--- a/drivers/staging/rt2870/common/cmm_data.c
++++ b/drivers/staging/rt2870/common/cmm_data.c
+@@ -709,6 +709,9 @@ BOOLEAN RTMP_FillTxBlkInfo(
+       }
+ 
+       return TRUE;
++
++FillTxBlkErr:
++      return FALSE;
+ }
+ 
+ 
+--- a/drivers/staging/rt2870/common/rtmp_init.c
++++ b/drivers/staging/rt2870/common/rtmp_init.c
+@@ -3655,7 +3655,7 @@ VOID     UserCfgInit(
+ #ifdef RALINK_28xx_QA
+       //pAd->ate.Repeat = 0;
+       pAd->ate.TxStatus = 0;
+-      pAd->ate.AtePid = NULL;
++      pAd->ate.AtePid = THREAD_PID_INIT_VALUE;
+ #endif // RALINK_28xx_QA //
+ #endif // RALINK_ATE //
+ 
+--- a/drivers/staging/rt2870/common/rtusb_io.c
++++ b/drivers/staging/rt2870/common/rtusb_io.c
+@@ -958,8 +958,7 @@ NDIS_STATUS        RTUSBEnqueueCmdFromNdis(
+       POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie;
+ 
+ 
+-      BUG_ON(pObj->RTUSBCmdThr_task == NULL);
+-      CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task))
++      CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid)
+               return (NDIS_STATUS_RESOURCES);
+ 
+       status = RTMPAllocateMemory((PVOID *)&cmdqelmt, sizeof(CmdQElmt));
+--- a/drivers/staging/rt2870/rt2870.h
++++ b/drivers/staging/rt2870/rt2870.h
+@@ -580,16 +580,14 @@ VOID RTUSBBulkRxComplete(purbb_t pUrb, s
+ #define RTUSBMlmeUp(pAd)              \
+ {                                                                 \
+       POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie;  \
+-      BUG_ON(pObj->MLMEThr_task == NULL);                 \
+-      CHECK_PID_LEGALITY(task_pid(pObj->MLMEThr_task))                    \
++      CHECK_PID_LEGALITY(pObj->MLMEThr_pid)               \
+         up(&(pAd->mlme_semaphore)); \
+ }
+ 
+ #define RTUSBCMDUp(pAd)                       \
+ {                                                                         \
+       POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie;  \
+-      BUG_ON(pObj->RTUSBCmdThr_task == NULL);     \
+-      CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task))        \
++      CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid)           \
+           up(&(pAd->RTUSBCmd_semaphore)); \
+ }
+ 
+--- a/drivers/staging/rt2870/rt_linux.h
++++ b/drivers/staging/rt2870/rt_linux.h
+@@ -44,7 +44,6 @@
+ #include <linux/module.h>
+ #include <linux/version.h>
+ #include <linux/kernel.h>
+-#include <linux/kthread.h>
+ 
+ #include <linux/spinlock.h>
+ #include <linux/init.h>
+@@ -166,12 +165,14 @@ typedef int (*HARD_START_XMIT_FUNC)(stru
+ 
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
+ typedef       struct pid *    THREAD_PID;
++#define       THREAD_PID_INIT_VALUE   NULL
+ #define       GET_PID(_v)     find_get_pid(_v)
+ #define       GET_PID_NUMBER(_v)      pid_nr(_v)
+ #define CHECK_PID_LEGALITY(_pid)      if (pid_nr(_pid) >= 0)
+ #define KILL_THREAD_PID(_A, _B, _C)   kill_pid(_A, _B, _C)
+ #else
+ typedef       pid_t   THREAD_PID;
++#define       THREAD_PID_INIT_VALUE   -1
+ #define       GET_PID(_v)     _v
+ #define       GET_PID_NUMBER(_v)      _v
+ #define CHECK_PID_LEGALITY(_pid)      if (_pid >= 0)
+@@ -187,11 +188,11 @@ struct os_lock  {
+ struct os_cookie {
+ 
+ #ifdef RT2870
+-      struct usb_device       *pUsb_Dev;
++      struct usb_device               *pUsb_Dev;
+ 
+-      struct task_struct      *MLMEThr_task;
+-      struct task_struct      *RTUSBCmdThr_task;
+-      struct task_struct      *TimerQThr_task;
++      THREAD_PID                              MLMEThr_pid;
++      THREAD_PID                              RTUSBCmdThr_pid;
++      THREAD_PID                              TimerQThr_pid;
+ #endif // RT2870 //
+ 
+       struct tasklet_struct   rx_done_task;

diff --git a/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch b/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch
new file mode 100644 (file)
index 0000000..f2cc684
--- /dev/null
+++ b/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch
@@ -0,0 +1,49 @@
+From 18753ebc8a98efe0e8ff6167afb31cef220c8e50 Mon Sep 17 00:00:00 2001
+From: Michael Buesch <mb@bu3sch.de>
+Date: Wed, 29 Jul 2009 11:39:03 +0200
+Subject: USB: devio: Properly do access_ok() checks
+
+From: Michael Buesch <mb@bu3sch.de>
+
+commit 18753ebc8a98efe0e8ff6167afb31cef220c8e50 upstream.
+
+access_ok() checks must be done on every part of the userspace structure
+that is accessed. If access_ok() on one part of the struct succeeded, it
+does not imply it will succeed on other parts of the struct. (Does
+depend on the architecture implementation of access_ok()).
+
+This changes the __get_user() users to first check access_ok() on the
+data structure.
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1308,7 +1308,8 @@ static int get_urb32(struct usbdevfs_urb
+                    struct usbdevfs_urb32 __user *uurb)
+ {
+       __u32  uptr;
+-      if (get_user(kurb->type, &uurb->type) ||
++      if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
++          __get_user(kurb->type, &uurb->type) ||
+           __get_user(kurb->endpoint, &uurb->endpoint) ||
+           __get_user(kurb->status, &uurb->status) ||
+           __get_user(kurb->flags, &uurb->flags) ||
+@@ -1523,8 +1524,9 @@ static int proc_ioctl_compat(struct dev_
+       u32 udata;
+ 
+       uioc = compat_ptr((long)arg);
+-      if (get_user(ctrl.ifno, &uioc->ifno) ||
+-          get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
++      if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
++          __get_user(ctrl.ifno, &uioc->ifno) ||
++          __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
+           __get_user(udata, &uioc->data))
+               return -EFAULT;
+       ctrl.data = compat_ptr(udata);

diff --git a/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch b/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch
new file mode 100644 (file)
index 0000000..e7ef716
--- /dev/null
+++ b/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch
@@ -0,0 +1,47 @@
+From 50d0678e2026c18e4147f0b16b5853113659b82d Mon Sep 17 00:00:00 2001
+From: Dhaval Vasa <dhaval.vasa@einfochips.com>
+Date: Fri, 7 Aug 2009 17:26:49 +0530
+Subject: USB: ftdi_sio: add product_id for Marvell OpenRD Base, Client
+
+From: Dhaval Vasa <dhaval.vasa@einfochips.com>
+
+commit 50d0678e2026c18e4147f0b16b5853113659b82d upstream.
+
+reference:
+http://www.open-rd.org
+
+Signed-off-by: Dhaval Vasa <dhaval.vasa@einfochips.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/ftdi_sio.c |    2 ++
+ drivers/usb/serial/ftdi_sio.h |    7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -673,6 +673,8 @@ static struct usb_device_id id_table_com
+       { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
+               .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+       { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
++      { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
++              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+       { },                                    /* Optional parameter entry */
+       { }                                     /* Terminating entry */
+ };
+--- a/drivers/usb/serial/ftdi_sio.h
++++ b/drivers/usb/serial/ftdi_sio.h
+@@ -933,6 +933,13 @@
+ #define BAYER_CONTOUR_CABLE_PID        0x6001
+ 
+ /*
++ * Marvell OpenRD Base, Client
++ * http://www.open-rd.org
++ * OpenRD Base, Client use VID 0x0403
++ */
++#define MARVELL_OPENRD_PID    0x9e90
++
++/*
+  *   BmRequestType:  1100 0000b
+  *   bRequest:       FTDI_E2_READ
+  *   wValue:         0

diff --git a/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch b/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch
new file mode 100644 (file)
index 0000000..091562c
--- /dev/null
+++ b/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch
@@ -0,0 +1,49 @@
+From c47aacc67a3d26dfab9c9b8965975ed2b2010b30 Mon Sep 17 00:00:00 2001
+From: Marko Hänninen <bugitus@gmail.com>
+Date: Fri, 31 Jul 2009 22:32:39 +0300
+Subject: USB: ftdi_sio: add vendor and product id for Bayer glucose meter serial converter cable
+
+From: Marko Hänninen <bugitus@gmail.com>
+
+commit c47aacc67a3d26dfab9c9b8965975ed2b2010b30 upstream.
+
+Attached patch adds USB vendor and product IDs for Bayer's USB to serial
+converter cable used by Bayer blood glucose meters. It seems to be a
+FT232RL based device and works without any problem with ftdi_sio driver
+when this patch is applied. See: http://winglucofacts.com/cables/
+
+
+Signed-off-by: Marko Hänninen <bugitus@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/ftdi_sio.c |    1 +
+ drivers/usb/serial/ftdi_sio.h |    7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -672,6 +672,7 @@ static struct usb_device_id id_table_com
+       { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
+       { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
+               .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
+       { },                                    /* Optional parameter entry */
+       { }                                     /* Terminating entry */
+ };
+--- a/drivers/usb/serial/ftdi_sio.h
++++ b/drivers/usb/serial/ftdi_sio.h
+@@ -926,6 +926,13 @@
+ #define MARVELL_SHEEVAPLUG_PID        0x9e8f
+ 
+ /*
++ * Bayer Ascensia Contour blood glucose meter USB-converter cable.
++ * http://winglucofacts.com/cables/
++ */
++#define BAYER_VID                      0x1A79
++#define BAYER_CONTOUR_CABLE_PID        0x6001
++
++/*
+  *   BmRequestType:  1100 0000b
+  *   bRequest:       FTDI_E2_READ
+  *   wValue:         0

diff --git a/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch b/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch
new file mode 100644 (file)
index 0000000..0f0fd55
--- /dev/null
+++ b/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch
@@ -0,0 +1,43 @@
+From c15e3ca1d822abba78c00b1ffc3e7b382a50396e Mon Sep 17 00:00:00 2001
+From: Rogerio Brito <rbrito@ime.usp.br>
+Date: Thu, 6 Aug 2009 15:20:19 -0700
+Subject: USB: storage: include Prolific Technology USB drive in unusual_devs list
+
+From: Rogerio Brito <rbrito@ime.usp.br>
+
+commit c15e3ca1d822abba78c00b1ffc3e7b382a50396e upstream.
+
+Add a quirk entry for the Leading Driver UD-11 usb flash drive.
+
+As Alan Stern told me, the device doesn't deal correctly with the
+locking media feature of the device, and this patch incorporates it.
+
+Compiled, tested, working.
+
+Signed-off-by: Rogerio Brito <rbrito@ime.usp.br>
+Cc: Phil Dibowitz <phil@ipom.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Robert Hancock <hancockrwd@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/unusual_devs.h |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -838,6 +838,13 @@ UNUSUAL_DEV( 0x066f, 0x8000, 0x0001, 0x0
+               US_SC_DEVICE, US_PR_DEVICE, NULL,
+               US_FL_FIX_CAPACITY ),
+ 
++/* Reported by Rogerio Brito <rbrito@ime.usp.br> */
++UNUSUAL_DEV( 0x067b, 0x2317, 0x0001, 0x001,
++              "Prolific Technology, Inc.",
++              "Mass Storage Device",
++              US_SC_DEVICE, US_PR_DEVICE, NULL,
++              US_FL_NOT_LOCKABLE ),
++
+ /* Reported by Richard -=[]=- <micro_flyer@hotmail.com> */
+ /* Change to bcdDeviceMin (0x0100 to 0x0001) reported by
+  * Thomas Bartosik <tbartdev@gmx-topmail.de> */

diff --git a/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch b/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch
new file mode 100644 (file)
index 0000000..c5de6ef
--- /dev/null
+++ b/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch
@@ -0,0 +1,32 @@
+From 01105a246345f011fde64d24a601090b646e9e4c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 30 Jul 2009 15:28:14 -0400
+Subject: USB: usbfs: fix -ENOENT error code to be -ENODEV
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 01105a246345f011fde64d24a601090b646e9e4c upstream.
+
+This patch (as1272) changes the error code returned when an open call
+for a USB device node fails to locate the corresponding device.  The
+appropriate error code is -ENODEV, not -ENOENT.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: Kay Sievers <kay.sievers@vrfy.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -582,7 +582,7 @@ static int usbdev_open(struct inode *ino
+       if (!ps)
+               goto out;
+ 
+-      ret = -ENOENT;
++      ret = -ENODEV;
+ 
+       /* usbdev device-node */
+       if (imajor(inode) == USB_DEVICE_MAJOR)

diff --git a/queue-2.6.30/x86-fix-vmi-stack-protector.patch b/queue-2.6.30/x86-fix-vmi-stack-protector.patch
new file mode 100644 (file)
index 0000000..66c7305
--- /dev/null
+++ b/queue-2.6.30/x86-fix-vmi-stack-protector.patch
@@ -0,0 +1,38 @@
+From 7d5b005652bc5ae3e1e0efc53fd0e25a643ec506 Mon Sep 17 00:00:00 2001
+From: Alok Kataria <akataria@vmware.com>
+Date: Tue, 4 Aug 2009 15:34:22 -0700
+Subject: x86: Fix VMI && stack protector
+
+From: Alok Kataria <akataria@vmware.com>
+
+commit 7d5b005652bc5ae3e1e0efc53fd0e25a643ec506 upstream.
+
+With CONFIG_STACK_PROTECTOR turned on, VMI doesn't boot with
+more than one processor. The problem is with the gs value not
+being initialized correctly when registering the secondary
+processor for VMI's case.
+
+The patch below initializes the gs value for the AP to
+__KERNEL_STACK_CANARY. Without this the secondary processor
+keeps on taking a GP on every gs access.
+
+Signed-off-by: Alok N Kataria <akataria@vmware.com>
+LKML-Reference: <1249425262.18955.40.camel@ank32.eng.vmware.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/vmi_32.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/vmi_32.c
++++ b/arch/x86/kernel/vmi_32.c
+@@ -441,7 +441,7 @@ vmi_startup_ipi_hook(int phys_apicid, un
+       ap.ds = __USER_DS;
+       ap.es = __USER_DS;
+       ap.fs = __KERNEL_PERCPU;
+-      ap.gs = 0;
++      ap.gs = __KERNEL_STACK_CANARY;
+ 
+       ap.eflags = 0;
+