From: Chris Wright Date: Fri, 24 Mar 2006 07:42:32 +0000 (-0800) Subject: Batch from Andrew X-Git-Tag: v2.6.16.1~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d313c7eef6da1fcb689240719d2c98e7a74430c;p=thirdparty%2Fkernel%2Fstable-queue.git Batch from Andrew --- diff --git a/queue-2.6.16/cciss-fix-use-after-free-in-cciss_init_one.patch b/queue-2.6.16/cciss-fix-use-after-free-in-cciss_init_one.patch new file mode 100644 index 00000000000..e951a45b321 --- /dev/null +++ b/queue-2.6.16/cciss-fix-use-after-free-in-cciss_init_one.patch @@ -0,0 +1,82 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 03:03:34 2006 +Date: Thu, 23 Mar 2006 02:59:24 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: kaber@trash.net, mike.miller@hp.com, stable@kernel.org +Subject: [PATCH] cciss: fix use-after-free in cciss_init_one + +From: Patrick McHardy + +free_hba() sets hba[i] to NULL, the dereference afterwards results in this +crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm +not entirely sure, which is why I left it in. + +cciss: controller appears to be disabled +Unable to handle kernel NULL pointer dereference at virtual address 00000370 + printing eip: +c1114d53 +*pde = 00000000 +Oops: 0002 [#1] +Modules linked in: +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010286 (2.6.16 #1) +EIP is at cciss_init_one+0x4e9/0x4fe +eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00 +esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8 +ds: 007b es: 007b ss: 0068 +Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30) +Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38 +f7c74740 + c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04 +c10c1d85 + c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000 +c2536f28 +Call Trace: + [] show_stack_log_lvl+0xa8/0xb0 + [] show_registers+0x102/0x16a + [] die+0xc1/0x13c + [] do_page_fault+0x38a/0x525 + [] error_code+0x4f/0x54 + [] pci_call_probe+0xd/0x10 + [] __pci_device_probe+0x31/0x43 + [] pci_device_probe+0x21/0x34 + [] driver_probe_device+0x44/0x99 + [] __driver_attach+0x39/0x5d + [] bus_for_each_dev+0x35/0x5a + [] driver_attach+0x14/0x16 + [] bus_add_driver+0x5c/0x8f + [] driver_register+0x73/0x78 + [] __pci_register_driver+0x5f/0x71 + [] cciss_init+0x1a/0x1c + [] do_initcalls+0x4c/0x96 + [] do_basic_setup+0x1c/0x1e + [] init+0x35/0x118 + [] kernel_thread_helper+0x5/0xb +Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de +40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 80 +70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3 + <0>Kernel panic - not syncing: Attempted to kill init! + +Signed-off-by: Patrick McHardy +Cc: +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/block/cciss.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.orig/drivers/block/cciss.c ++++ linux-2.6.16/drivers/block/cciss.c +@@ -3269,8 +3269,8 @@ clean2: + unregister_blkdev(hba[i]->major, hba[i]->devname); + clean1: + release_io_mem(hba[i]); +- free_hba(i); + hba[i]->busy_initializing = 0; ++ free_hba(i); + return(-1); + } + diff --git a/queue-2.6.16/dm-bio-split-bvec-fix.patch b/queue-2.6.16/dm-bio-split-bvec-fix.patch new file mode 100644 index 00000000000..6d9bf7e367e --- /dev/null +++ b/queue-2.6.16/dm-bio-split-bvec-fix.patch @@ -0,0 +1,85 @@ +From stable-bounces@linux.kernel.org Wed Mar 22 00:11:39 2006 +Date: Wed, 22 Mar 2006 00:07:42 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: abhishekgupt@gmail.com, danms@us.ibm.com, stable@kernel.org, agk@redhat.com +Subject: [PATCH] dm: bio split bvec fix + +From: Alasdair G Kergon + +The code that handles bios that span table target boundaries by breaking +them up into smaller bios will not split an individual struct bio_vec into +more than two pieces. Sometimes more than that are required. + +This patch adds a loop to break the second piece up into as many pieces as +are necessary. + +Cc: "Abhishek Gupta" +Cc: Dan Smith +Signed-off-by: Alasdair G Kergon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/md/dm.c | 45 +++++++++++++++++++++++++-------------------- + 1 files changed, 25 insertions(+), 20 deletions(-) + +--- linux-2.6.16.orig/drivers/md/dm.c ++++ linux-2.6.16/drivers/md/dm.c +@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone + + } else { + /* +- * Create two copy bios to deal with io that has +- * been split across a target. ++ * Handle a bvec that must be split between two or more targets. + */ + struct bio_vec *bv = bio->bi_io_vec + ci->idx; ++ sector_t remaining = to_sector(bv->bv_len); ++ unsigned int offset = 0; + +- clone = split_bvec(bio, ci->sector, ci->idx, +- bv->bv_offset, max); +- __map_bio(ti, clone, tio); +- +- ci->sector += max; +- ci->sector_count -= max; +- ti = dm_table_find_target(ci->map, ci->sector); +- +- len = to_sector(bv->bv_len) - max; +- clone = split_bvec(bio, ci->sector, ci->idx, +- bv->bv_offset + to_bytes(max), len); +- tio = alloc_tio(ci->md); +- tio->io = ci->io; +- tio->ti = ti; +- memset(&tio->info, 0, sizeof(tio->info)); +- __map_bio(ti, clone, tio); ++ do { ++ if (offset) { ++ ti = dm_table_find_target(ci->map, ci->sector); ++ max = max_io_len(ci->md, ci->sector, ti); ++ ++ tio = alloc_tio(ci->md); ++ tio->io = ci->io; ++ tio->ti = ti; ++ memset(&tio->info, 0, sizeof(tio->info)); ++ } ++ ++ len = min(remaining, max); ++ ++ clone = split_bvec(bio, ci->sector, ci->idx, ++ bv->bv_offset + offset, len); ++ ++ __map_bio(ti, clone, tio); ++ ++ ci->sector += len; ++ ci->sector_count -= len; ++ offset += to_bytes(len); ++ } while (remaining -= len); + +- ci->sector += len; +- ci->sector_count -= len; + ci->idx++; + } + } diff --git a/queue-2.6.16/dm-fix-bug-bio_rw_barrier-requests-to-md-raid1-hang.patch b/queue-2.6.16/dm-fix-bug-bio_rw_barrier-requests-to-md-raid1-hang.patch new file mode 100644 index 00000000000..25186c3cec1 --- /dev/null +++ b/queue-2.6.16/dm-fix-bug-bio_rw_barrier-requests-to-md-raid1-hang.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 03:03:30 2006 +Date: Thu, 23 Mar 2006 02:59:22 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: neilb@suse.de, stable@kernel.org +Subject: [PATCH] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang. + +From: NeilBrown + +Both R1BIO_Barrier and R1BIO_Returned are 4 !!!! + +This means that barrier requests don't get returned (i.e. b_endio called) +because it looks like they already have been. + +Signed-off-by: Neil Brown +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + include/linux/raid/raid1.h | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.orig/include/linux/raid/raid1.h ++++ linux-2.6.16/include/linux/raid/raid1.h +@@ -130,6 +130,6 @@ struct r1bio_s { + * with failure when last write completes (and all failed). + * Record that bi_end_io was called with this flag... + */ +-#define R1BIO_Returned 4 ++#define R1BIO_Returned 6 + + #endif diff --git a/queue-2.6.16/fix-scheduler-deadlock.patch b/queue-2.6.16/fix-scheduler-deadlock.patch new file mode 100644 index 00000000000..da895de924e --- /dev/null +++ b/queue-2.6.16/fix-scheduler-deadlock.patch @@ -0,0 +1,94 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 03:03:38 2006 +Date: Thu, 23 Mar 2006 02:59:20 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: mingo@elte.hu, anton@samba.org, stable@kernel.org +Subject: [PATCH] fix scheduler deadlock + +From: Anton Blanchard + +We have noticed lockups during boot when stress testing kexec on ppc64. +Two cpus would deadlock in scheduler code trying to grab already taken +spinlocks. + +The double_rq_lock code uses the address of the runqueue to order the +taking of multiple locks. This address is a per cpu variable: + + if (rq1 < rq2) { + spin_lock(&rq1->lock); + spin_lock(&rq2->lock); + } else { + spin_lock(&rq2->lock); + spin_lock(&rq1->lock); + } + +On the other hand, the code in wake_sleeping_dependent uses the cpu id +order to grab locks: + + for_each_cpu_mask(i, sibling_map) + spin_lock(&cpu_rq(i)->lock); + +This means we rely on the address of per cpu data increasing as cpu ids +increase. While this will be true for the generic percpu implementation it +may not be true for arch specific implementations. + +One way to solve this is to always take runqueues in cpu id order. To do +this we add a cpu variable to the runqueue and check it in the +double runqueue locking functions. + +Signed-off-by: Anton Blanchard +Acked-by: Ingo Molnar +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + kernel/sched.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +--- linux-2.6.16.orig/kernel/sched.c ++++ linux-2.6.16/kernel/sched.c +@@ -237,6 +237,7 @@ struct runqueue { + + task_t *migration_thread; + struct list_head migration_queue; ++ int cpu; + #endif + + #ifdef CONFIG_SCHEDSTATS +@@ -1660,6 +1661,9 @@ unsigned long nr_iowait(void) + /* + * double_rq_lock - safely lock two runqueues + * ++ * We must take them in cpu order to match code in ++ * dependent_sleeper and wake_dependent_sleeper. ++ * + * Note this does not disable interrupts like task_rq_lock, + * you need to do so manually before calling. + */ +@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r + spin_lock(&rq1->lock); + __acquire(rq2->lock); /* Fake it out ;) */ + } else { +- if (rq1 < rq2) { ++ if (rq1->cpu < rq2->cpu) { + spin_lock(&rq1->lock); + spin_lock(&rq2->lock); + } else { +@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue + __acquires(this_rq->lock) + { + if (unlikely(!spin_trylock(&busiest->lock))) { +- if (busiest < this_rq) { ++ if (busiest->cpu < this_rq->cpu) { + spin_unlock(&this_rq->lock); + spin_lock(&busiest->lock); + spin_lock(&this_rq->lock); +@@ -6035,6 +6039,7 @@ void __init sched_init(void) + rq->push_cpu = 0; + rq->migration_thread = NULL; + INIT_LIST_HEAD(&rq->migration_queue); ++ rq->cpu = i; + #endif + atomic_set(&rq->nr_iowait, 0); + diff --git a/queue-2.6.16/i810fb_cursor-use-gfp_atomic.patch b/queue-2.6.16/i810fb_cursor-use-gfp_atomic.patch new file mode 100644 index 00000000000..979787687f2 --- /dev/null +++ b/queue-2.6.16/i810fb_cursor-use-gfp_atomic.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Wed Mar 22 00:11:36 2006 +Date: Wed, 22 Mar 2006 00:07:36 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: adaplas@pol.net, stable@kernel.org +Subject: [PATCH] i810fb_cursor(): use GFP_ATOMIC + +From: "Antonino A. Daplas" + +The console cursor can be called in atomic context. Change memory +allocation to use the GFP_ATOMIC flag in i810fb_cursor(). + +Signed-off-by: Antonino Daplas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + drivers/video/i810/i810_main.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.orig/drivers/video/i810/i810_main.c ++++ linux-2.6.16/drivers/video/i810/i810_main.c +@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info + int size = ((cursor->image.width + 7) >> 3) * + cursor->image.height; + int i; +- u8 *data = kmalloc(64 * 8, GFP_KERNEL); ++ u8 *data = kmalloc(64 * 8, GFP_ATOMIC); + + if (data == NULL) + return -ENOMEM; diff --git a/queue-2.6.16/proc-fix-duplicate-line-in-proc-devices.patch b/queue-2.6.16/proc-fix-duplicate-line-in-proc-devices.patch new file mode 100644 index 00000000000..4eb1bbd72b8 --- /dev/null +++ b/queue-2.6.16/proc-fix-duplicate-line-in-proc-devices.patch @@ -0,0 +1,32 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 03:03:28 2006 +Date: Thu, 23 Mar 2006 02:59:19 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: stable@kernel.org, nhorman@tuxdriver.com +Subject: [PATCH] proc: fix duplicate line in /proc/devices + +From: Neil Horman + +Fix a duplicate block device line printed after the "Block device" header +in /proc/devices. + +Signed-off-by: Neil Horman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + fs/proc/proc_misc.c | 2 +- + 1 files changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.orig/fs/proc/proc_misc.c ++++ linux-2.6.16/fs/proc/proc_misc.c +@@ -312,7 +312,7 @@ static void *devinfo_next(struct seq_fil + case BLK_HDR: + info->state = BLK_LIST; + (*pos)++; +- break; ++ /*fallthrough*/ + case BLK_LIST: + if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) { + /* diff --git a/queue-2.6.16/rtc.h-broke-strace-builds.patch b/queue-2.6.16/rtc.h-broke-strace-builds.patch new file mode 100644 index 00000000000..0484a0e46cb --- /dev/null +++ b/queue-2.6.16/rtc.h-broke-strace-builds.patch @@ -0,0 +1,44 @@ +From stable-bounces@linux.kernel.org Wed Mar 22 00:11:37 2006 +Date: Wed, 22 Mar 2006 00:07:43 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: stable@kernel.org, joe.korty@ccur.com +Subject: [PATCH] rtc.h broke strace(1) builds + +From: Joe Korty + +Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e + + [PATCH] move rtc_interrupt() prototype to rtc.h + +broke strace(1) builds. The below moves the kernel-only additions lower, +under the already provided #ifdef __KERNEL__ statement. + +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + include/linux/rtc.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.16.orig/include/linux/rtc.h ++++ linux-2.6.16/include/linux/rtc.h +@@ -11,8 +11,6 @@ + #ifndef _LINUX_RTC_H_ + #define _LINUX_RTC_H_ + +-#include +- + /* + * The struct used to pass data via the following ioctl. Similar to the + * struct tm in , but it needs to be here so that the kernel +@@ -95,6 +93,8 @@ struct rtc_pll_info { + + #ifdef __KERNEL__ + ++#include ++ + typedef struct rtc_task { + void (*func)(void *private_data); + void *private_data; diff --git a/queue-2.6.16/series b/queue-2.6.16/series index b2354b9b3b7..09b90d25798 100644 --- a/queue-2.6.16/series +++ b/queue-2.6.16/series @@ -5,3 +5,11 @@ kconfig-video_decoder-must-select-fw_loader.patch tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch xfs-writeout-fix.patch net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch +i810fb_cursor-use-gfp_atomic.patch +v9fs-assign-dentry-ops-to-negative-dentries.patch +dm-bio-split-bvec-fix.patch +rtc.h-broke-strace-builds.patch +proc-fix-duplicate-line-in-proc-devices.patch +fix-scheduler-deadlock.patch +dm-fix-bug-bio_rw_barrier-requests-to-md-raid1-hang.patch +cciss-fix-use-after-free-in-cciss_init_one.patch diff --git a/queue-2.6.16/v9fs-assign-dentry-ops-to-negative-dentries.patch b/queue-2.6.16/v9fs-assign-dentry-ops-to-negative-dentries.patch new file mode 100644 index 00000000000..6a96d55a847 --- /dev/null +++ b/queue-2.6.16/v9fs-assign-dentry-ops-to-negative-dentries.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Wed Mar 22 00:11:36 2006 +Date: Wed, 22 Mar 2006 00:07:37 -0800 +From: akpm@osdl.org +To: torvalds@osdl.org +Cc: lucho@ionkov.net, ericvh@gmail.com, stable@kernel.org +Subject: [PATCH] v9fs: assign dentry ops to negative dentries + +From: Latchesar Ionkov + +If a file is not found in v9fs_vfs_lookup, the function creates negative +dentry, but doesn't assign any dentry ops. This leaves the negative entry +in the cache (there is no d_delete to mark it for removal). If the file is +created outside of the mounted v9fs filesystem, the file shows up in the +directory with weird permissions. + +This patch assigns the default v9fs dentry ops to the negative dentry. + +Signed-off-by: Latchesar Ionkov +Signed-off-by: Eric Van Hensbergen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Chris Wright +--- + + fs/9p/vfs_inode.c | 3 +-- + 1 files changed, 1 insertion(+), 2 deletions(-) + +--- linux-2.6.16.orig/fs/9p/vfs_inode.c ++++ linux-2.6.16/fs/9p/vfs_inode.c +@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st + + sb = dir->i_sb; + v9ses = v9fs_inode2v9ses(dir); ++ dentry->d_op = &v9fs_dentry_operations; + dirfid = v9fs_fid_lookup(dentry->d_parent); + + if (!dirfid) { +@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st + goto FreeFcall; + + fid->qid = fcall->params.rstat.stat.qid; +- +- dentry->d_op = &v9fs_dentry_operations; + v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb); + + d_add(dentry, inode);