From: Greg Kroah-Hartman Date: Tue, 9 Jun 2009 23:28:09 +0000 (-0700) Subject: random patch fix X-Git-Tag: v2.6.27.25~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b3244324ec1d78c61b2e3ec7f4aca95d015821d;p=thirdparty%2Fkernel%2Fstable-queue.git random patch fix --- diff --git a/queue-2.6.29/avoid-ice-in-get_random_int-with-gcc-3.4.5.patch b/queue-2.6.29/avoid-ice-in-get_random_int-with-gcc-3.4.5.patch new file mode 100644 index 00000000000..df568e56fb6 --- /dev/null +++ b/queue-2.6.29/avoid-ice-in-get_random_int-with-gcc-3.4.5.patch @@ -0,0 +1,54 @@ +From 26a9a418237c0b06528941bca693c49c8d97edbe Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 19 May 2009 11:25:35 -0700 +Subject: Avoid ICE in get_random_int() with gcc-3.4.5 + +From: Linus Torvalds + +commit 26a9a418237c0b06528941bca693c49c8d97edbe upstream. + +Martin Knoblauch reports that trying to build 2.6.30-rc6-git3 with +RHEL4.3 userspace (gcc (GCC) 3.4.5 20051201 (Red Hat 3.4.5-2)) causes an +internal compiler error (ICE): + + drivers/char/random.c: In function `get_random_int': + drivers/char/random.c:1672: error: unrecognizable insn: + (insn 202 148 150 0 /scratch/build/linux-2.6.30-rc6-git3/arch/x86/include/asm/tsc.h:23 (set (reg:SI 0 ax [91]) + (subreg:SI (plus:DI (plus:DI (reg:DI 0 ax [88]) + (subreg:DI (reg:SI 6 bp) 0)) + (const_int -4 [0xfffffffffffffffc])) 0)) -1 (nil) + (nil)) + drivers/char/random.c:1672: internal compiler error: in extract_insn, at recog.c:2083 + +and after some debugging it turns out that it's due to the code trying +to figure out the rough value of the current stack pointer by taking an +address of an uninitialized variable and casting that to an integer. + +This is clearly a compiler bug, but it's not worth fighting - while the +current stack kernel pointer might be somewhat hard to predict in user +space, it's also not generally going to change for a lot of the call +chains for a particular process. + +So just drop it, and mumble some incoherent curses at the compiler. + +Tested-by: Martin Knoblauch +Cc: Matt Mackall +Cc: Ingo Molnar +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1668,7 +1668,7 @@ unsigned int get_random_int(void) + int ret; + + keyptr = get_keyptr(); +- hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret; ++ hash[0] += current->pid + jiffies + get_cycles(); + + ret = half_md4_transform(hash, keyptr->secret); + put_cpu_var(get_random_int_hash); diff --git a/queue-2.6.29/mbox b/queue-2.6.29/mbox new file mode 100644 index 00000000000..6a9b1de8a92 --- /dev/null +++ b/queue-2.6.29/mbox @@ -0,0 +1,8392 @@ +From greg@blue.kroah.org Tue Jun 9 02:40:52 2009 +Message-Id: <20090609094052.306238753@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Nicolas Dichtel , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 01/87] xfrm: wrong hash value for temporary SA +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=xfrm-wrong-hash-value-for-temporary-sa.patch +Content-Length: 1468 +Lines: 40 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Nicolas Dichtel + +[ Upstream commit 6a783c9067e3f71aac61a9262fe42c1f68efd4fc ] + +When kernel inserts a temporary SA for IKE, it uses the wrong hash +value for dst list. Two hash values were calcultated before: one with +source address and one with a wildcard source address. + +Bug hinted by Junwei Zhang +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_state.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -794,7 +794,7 @@ xfrm_state_find(xfrm_address_t *daddr, x + { + static xfrm_address_t saddr_wildcard = { }; + struct net *net = xp_net(pol); +- unsigned int h; ++ unsigned int h, h_wildcard; + struct hlist_node *entry; + struct xfrm_state *x, *x0, *to_put; + int acquire_in_progress = 0; +@@ -819,8 +819,8 @@ xfrm_state_find(xfrm_address_t *daddr, x + if (best) + goto found; + +- h = xfrm_dst_hash(net, daddr, &saddr_wildcard, tmpl->reqid, family); +- hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) { ++ h_wildcard = xfrm_dst_hash(net, daddr, &saddr_wildcard, tmpl->reqid, family); ++ hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h_wildcard, bydst) { + if (x->props.family == family && + x->props.reqid == tmpl->reqid && + !(x->props.flags & XFRM_STATE_WILDRECV) && + + +From greg@blue.kroah.org Tue Jun 9 02:40:52 2009 +Message-Id: <20090609094052.533568011@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ilpo Jarvinen , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 02/87] tcp: fix MSG_PEEK race check +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=tcp-fix-msg_peek-race-check.patch +Content-Length: 1666 +Lines: 56 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ilpo Jarvinen + +[ Upstream commit 775273131810caa41dfc7f9e552ea5d8508caf40 ] + +Commit 518a09ef11 (tcp: Fix recvmsg MSG_PEEK influence of +blocking behavior) lets the loop run longer than the race check +did previously expect, so we need to be more careful with this +check and consider the work we have been doing. + +I tried my best to deal with urg hole madness too which happens +here: + if (!sock_flag(sk, SOCK_URGINLINE)) { + ++*seq; + ... +by using additional offset by one but I certainly have very +little interest in testing that part. + +Signed-off-by: Ilpo Jarvinen +Tested-by: Frans Pop +Tested-by: Ian Zimmermann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1286,6 +1286,7 @@ int tcp_recvmsg(struct kiocb *iocb, stru + struct task_struct *user_recv = NULL; + int copied_early = 0; + struct sk_buff *skb; ++ u32 urg_hole = 0; + + lock_sock(sk); + +@@ -1497,7 +1498,8 @@ do_prequeue: + } + } + } +- if ((flags & MSG_PEEK) && peek_seq != tp->copied_seq) { ++ if ((flags & MSG_PEEK) && ++ (peek_seq - copied - urg_hole != tp->copied_seq)) { + if (net_ratelimit()) + printk(KERN_DEBUG "TCP(%s:%d): Application bug, race in MSG_PEEK.\n", + current->comm, task_pid_nr(current)); +@@ -1518,6 +1520,7 @@ do_prequeue: + if (!urg_offset) { + if (!sock_flag(sk, SOCK_URGINLINE)) { + ++*seq; ++ urg_hole++; + offset++; + used--; + if (!used) + + +From greg@blue.kroah.org Tue Jun 9 02:40:52 2009 +Message-Id: <20090609094052.767046420@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ilpo Jarvinen , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 03/87] [PATCH 03/16] tcp: fix >2 iw selection +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=tcp-fix-2-iw-selection.patch +Content-Length: 1009 +Lines: 35 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ilpo Jarvinen + +[ Upstream commit 86bcebafc5e7f5163ccf828792fe694b112ed6fa ] + +A long-standing feature in tcp_init_metrics() is such that +any of its goto reset prevents call to tcp_init_cwnd(). + +Signed-off-by: Ilpo Jarvinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -927,6 +927,8 @@ static void tcp_init_metrics(struct sock + tcp_set_rto(sk); + if (inet_csk(sk)->icsk_rto < TCP_TIMEOUT_INIT && !tp->rx_opt.saw_tstamp) + goto reset; ++ ++cwnd: + tp->snd_cwnd = tcp_init_cwnd(tp, dst); + tp->snd_cwnd_stamp = tcp_time_stamp; + return; +@@ -941,6 +943,7 @@ reset: + tp->mdev = tp->mdev_max = tp->rttvar = TCP_TIMEOUT_INIT; + inet_csk(sk)->icsk_rto = TCP_TIMEOUT_INIT; + } ++ goto cwnd; + } + + static void tcp_update_reordering(struct sock *sk, const int metric, + + +From greg@blue.kroah.org Tue Jun 9 02:40:53 2009 +Message-Id: <20090609094052.993171749@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Chenault , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 04/87] net: fix skb_seq_read returning wrong offset/length for page frag data +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=net-fix-skb_seq_read-returning-wrong-offset-length-for-page-frag-data.patch +Content-Length: 1006 +Lines: 29 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Thomas Chenault + +[ Upstream commit 995b337952cdf7e05d288eede580257b632a8343 ] + +When called with a consumed value that is less than skb_headlen(skb) +bytes into a page frag, skb_seq_read() incorrectly returns an +offset/length relative to skb->data. Ensure that data which should come +from a page frag does. + +Signed-off-by: Thomas Chenault +Tested-by: Shyam Iyer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2206,7 +2206,7 @@ unsigned int skb_seq_read(unsigned int c + next_skb: + block_limit = skb_headlen(st->cur_skb) + st->stepped_offset; + +- if (abs_offset < block_limit) { ++ if (abs_offset < block_limit && !st->frag_data) { + *data = st->cur_skb->data + (abs_offset - st->stepped_offset); + return block_limit - abs_offset; + } + + +From greg@blue.kroah.org Tue Jun 9 02:40:53 2009 +Message-Id: <20090609094053.228151746@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 05/87] sch_teql: should not dereference skb after ndo_start_xmit() +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=sch_teql-should-not-dereference-skb-after-ndo_start_xmit.patch +Content-Length: 1293 +Lines: 40 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eric Dumazet + +[ Upstream commit c0f84d0d4be3f7d818b4ffb04d27f9bae64397f0 ] + +It is illegal to dereference a skb after a successful ndo_start_xmit() +call. We must store skb length in a local variable instead. + +Bug was introduced in 2.6.27 by commit 0abf77e55a2459aa9905be4b226e4729d5b4f0cb +(net_sched: Add accessor function for packet length for qdiscs) + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/sch_teql.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -303,6 +303,8 @@ restart: + switch (teql_resolve(skb, skb_res, slave)) { + case 0: + if (__netif_tx_trylock(slave_txq)) { ++ unsigned int length = qdisc_pkt_len(skb); ++ + if (!netif_tx_queue_stopped(slave_txq) && + !netif_tx_queue_frozen(slave_txq) && + slave_ops->ndo_start_xmit(skb, slave) == 0) { +@@ -310,8 +312,7 @@ restart: + master->slaves = NEXT_SLAVE(q); + netif_wake_queue(dev); + master->stats.tx_packets++; +- master->stats.tx_bytes += +- qdisc_pkt_len(skb); ++ master->stats.tx_bytes += length; + return 0; + } + __netif_tx_unlock(slave_txq); + + +From greg@blue.kroah.org Tue Jun 9 02:40:53 2009 +Message-Id: <20090609094053.454554199@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Neil Horman , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 06/87] net: fix length computation in rt_check_expire() +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=net-fix-length-computation-in-rt_check_expire.patch +Content-Length: 1467 +Lines: 49 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eric Dumazet + +[ Upstream commit cf8da764fc6959b7efb482f375dfef9830e98205 ] + +rt_check_expire() computes average and standard deviation of chain lengths, +but not correclty reset length to 0 at beginning of each chain. +This probably gives overflows for sum2 (and sum) on loaded machines instead +of meaningful results. + +Signed-off-by: Eric Dumazet +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/route.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -785,7 +785,7 @@ static void rt_check_expire(void) + static unsigned int rover; + unsigned int i = rover, goal; + struct rtable *rth, **rthp; +- unsigned long length = 0, samples = 0; ++ unsigned long samples = 0; + unsigned long sum = 0, sum2 = 0; + u64 mult; + +@@ -795,9 +795,9 @@ static void rt_check_expire(void) + goal = (unsigned int)mult; + if (goal > rt_hash_mask) + goal = rt_hash_mask + 1; +- length = 0; + for (; goal > 0; goal--) { + unsigned long tmo = ip_rt_gc_timeout; ++ unsigned long length; + + i = (i + 1) & rt_hash_mask; + rthp = &rt_hash_table[i].chain; +@@ -809,6 +809,7 @@ static void rt_check_expire(void) + + if (*rthp == NULL) + continue; ++ length = 0; + spin_lock_bh(rt_hash_lock_addr(i)); + while ((rth = *rthp) != NULL) { + if (rt_is_expired(rth)) { + + +From greg@blue.kroah.org Tue Jun 9 02:40:53 2009 +Message-Id: <20090609094053.693915417@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Neil Horman , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 07/87] net: fix rtable leak in net/ipv4/route.c +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=net-fix-rtable-leak-in-net-ipv4-route.c.patch +Content-Length: 5707 +Lines: 173 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eric Dumazet + +[ Upstream commit 1ddbcb005c395518c2cd0df504cff3d4b5c85853 ] + +Alexander V. Lukyanov found a regression in 2.6.29 and made a complete +analysis found in http://bugzilla.kernel.org/show_bug.cgi?id=13339 +Quoted here because its a perfect one : + +begin_of_quotation + 2.6.29 patch has introduced flexible route cache rebuilding. Unfortunately the + patch has at least one critical flaw, and another problem. + + rt_intern_hash calculates rthi pointer, which is later used for new entry + insertion. The same loop calculates cand pointer which is used to clean the + list. If the pointers are the same, rtable leak occurs, as first the cand is + removed then the new entry is appended to it. + + This leak leads to unregister_netdevice problem (usage count > 0). + + Another problem of the patch is that it tries to insert the entries in certain + order, to facilitate counting of entries distinct by all but QoS parameters. + Unfortunately, referencing an existing rtable entry moves it to list beginning, + to speed up further lookups, so the carefully built order is destroyed. + + For the first problem the simplest patch it to set rthi=0 when rthi==cand, but + it will also destroy the ordering. +end_of_quotation + +Problematic commit is 1080d709fb9d8cd4392f93476ee46a9d6ea05a5b +(net: implement emergency route cache rebulds when gc_elasticity is exceeded) + +Trying to keep dst_entries ordered is too complex and breaks the fact that +order should depend on the frequency of use for garbage collection. + +A possible fix is to make rt_intern_hash() simpler, and only makes +rt_check_expire() a litle bit smarter, being able to cope with an arbitrary +entries order. The added loop is running on cache hot data, while cpu +is prefetching next object, so should be unnoticied. + +Reported-and-analyzed-by: Alexander V. Lukyanov +Signed-off-by: Eric Dumazet +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 55 +++++++++++++++++-------------------------------------- + 1 file changed, 17 insertions(+), 38 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -784,7 +784,7 @@ static void rt_check_expire(void) + { + static unsigned int rover; + unsigned int i = rover, goal; +- struct rtable *rth, **rthp; ++ struct rtable *rth, *aux, **rthp; + unsigned long samples = 0; + unsigned long sum = 0, sum2 = 0; + u64 mult; +@@ -812,6 +812,7 @@ static void rt_check_expire(void) + length = 0; + spin_lock_bh(rt_hash_lock_addr(i)); + while ((rth = *rthp) != NULL) { ++ prefetch(rth->u.dst.rt_next); + if (rt_is_expired(rth)) { + *rthp = rth->u.dst.rt_next; + rt_free(rth); +@@ -820,33 +821,30 @@ static void rt_check_expire(void) + if (rth->u.dst.expires) { + /* Entry is expired even if it is in use */ + if (time_before_eq(jiffies, rth->u.dst.expires)) { ++nofree: + tmo >>= 1; + rthp = &rth->u.dst.rt_next; + /* +- * Only bump our length if the hash +- * inputs on entries n and n+1 are not +- * the same, we only count entries on ++ * We only count entries on + * a chain with equal hash inputs once + * so that entries for different QOS + * levels, and other non-hash input + * attributes don't unfairly skew + * the length computation + */ +- if ((*rthp == NULL) || +- !compare_hash_inputs(&(*rthp)->fl, +- &rth->fl)) +- length += ONE; ++ for (aux = rt_hash_table[i].chain;;) { ++ if (aux == rth) { ++ length += ONE; ++ break; ++ } ++ if (compare_hash_inputs(&aux->fl, &rth->fl)) ++ break; ++ aux = aux->u.dst.rt_next; ++ } + continue; + } +- } else if (!rt_may_expire(rth, tmo, ip_rt_gc_timeout)) { +- tmo >>= 1; +- rthp = &rth->u.dst.rt_next; +- if ((*rthp == NULL) || +- !compare_hash_inputs(&(*rthp)->fl, +- &rth->fl)) +- length += ONE; +- continue; +- } ++ } else if (!rt_may_expire(rth, tmo, ip_rt_gc_timeout)) ++ goto nofree; + + /* Cleanup aged off entries. */ + *rthp = rth->u.dst.rt_next; +@@ -1069,7 +1067,6 @@ out: return 0; + static int rt_intern_hash(unsigned hash, struct rtable *rt, struct rtable **rp) + { + struct rtable *rth, **rthp; +- struct rtable *rthi; + unsigned long now; + struct rtable *cand, **candp; + u32 min_score; +@@ -1089,7 +1086,6 @@ restart: + } + + rthp = &rt_hash_table[hash].chain; +- rthi = NULL; + + spin_lock_bh(rt_hash_lock_addr(hash)); + while ((rth = *rthp) != NULL) { +@@ -1135,17 +1131,6 @@ restart: + chain_length++; + + rthp = &rth->u.dst.rt_next; +- +- /* +- * check to see if the next entry in the chain +- * contains the same hash input values as rt. If it does +- * This is where we will insert into the list, instead of +- * at the head. This groups entries that differ by aspects not +- * relvant to the hash function together, which we use to adjust +- * our chain length +- */ +- if (*rthp && compare_hash_inputs(&(*rthp)->fl, &rt->fl)) +- rthi = rth; + } + + if (cand) { +@@ -1206,10 +1191,7 @@ restart: + } + } + +- if (rthi) +- rt->u.dst.rt_next = rthi->u.dst.rt_next; +- else +- rt->u.dst.rt_next = rt_hash_table[hash].chain; ++ rt->u.dst.rt_next = rt_hash_table[hash].chain; + + #if RT_CACHE_DEBUG >= 2 + if (rt->u.dst.rt_next) { +@@ -1225,10 +1207,7 @@ restart: + * previous writes to rt are comitted to memory + * before making rt visible to other CPUS. + */ +- if (rthi) +- rcu_assign_pointer(rthi->u.dst.rt_next, rt); +- else +- rcu_assign_pointer(rt_hash_table[hash].chain, rt); ++ rcu_assign_pointer(rt_hash_table[hash].chain, rt); + + spin_unlock_bh(rt_hash_lock_addr(hash)); + *rp = rt; + + +From greg@blue.kroah.org Tue Jun 9 02:40:54 2009 +Message-Id: <20090609094053.920368638@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 08/87] Revert "rose: zero length frame filtering in af_rose.c" +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=revert-rose-zero-length-frame-filtering-in-af_rose.c.patch +Content-Length: 1199 +Lines: 45 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David S. Miller + +[ Upstream commit 6fd4777a1fec1f7757b5a302ad3fdcc1eae2abba ] + +This reverts commit 244f46ae6e9e18f6fc0be7d1f49febde4762c34b. + +Alan Cox did the research, and just like the other radio protocols +zero-length frames have meaning because at the top level ROSE is +X.25 PLP. + +So this zero-length filtering is invalid. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/af_rose.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1072,10 +1072,6 @@ static int rose_sendmsg(struct kiocb *io + unsigned char *asmptr; + int n, size, qbit = 0; + +- /* ROSE empty frame has no meaning : don't send */ +- if (len == 0) +- return 0; +- + if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_CMSG_COMPAT)) + return -EINVAL; + +@@ -1273,12 +1269,6 @@ static int rose_recvmsg(struct kiocb *io + skb_reset_transport_header(skb); + copied = skb->len; + +- /* ROSE empty frame has no meaning : ignore it */ +- if (copied == 0) { +- skb_free_datagram(sk, skb); +- return copied; +- } +- + if (copied > size) { + copied = size; + msg->msg_flags |= MSG_TRUNC; + + +From greg@blue.kroah.org Tue Jun 9 02:40:54 2009 +Message-Id: <20090609094054.165034585@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Florian Westphal , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 09/87] pktgen: do not access flows[] beyond its length +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=pktgen-do-not-access-flows-beyond-its-length.patch +Content-Length: 842 +Lines: 27 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Florian Westphal + +[ Upstream commit 5b5f792a6a9a2f9ae812d151ed621f72e99b1725 ] + +typo -- pkt_dev->nflows is for stats only, the number of concurrent +flows is stored in cflows. + +Reported-By: Vladimir Ivashchenko +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/pktgen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -2447,7 +2447,7 @@ static inline void free_SAs(struct pktge + if (pkt_dev->cflows) { + /* let go of the SAs if we have them */ + int i = 0; +- for (; i < pkt_dev->nflows; i++){ ++ for (; i < pkt_dev->cflows; i++) { + struct xfrm_state *x = pkt_dev->flows[i].x; + if (x) { + xfrm_state_put(x); + + +From greg@blue.kroah.org Tue Jun 9 02:40:54 2009 +Message-Id: <20090609094054.391134475@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stanislaw Gruszka , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 10/87] myr10ge: again fix lro_gen_skb() alignment +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=myr10ge-again-fix-lro_gen_skb-alignment.patch +Content-Length: 998 +Lines: 28 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Stanislaw Gruszka + +[ Upstream commit 636d2f68a0814d84de26c021b2c15e3b4ffa29de ] + +Add LRO alignment initially committed in +621544eb8c3beaa859c75850f816dd9b056a00a3 ("[LRO]: fix lro_gen_skb() +alignment") and removed in 0dcffac1a329be69bab0ac604bf7283737108e68 +("myri10ge: add multislices support") during conversion to +multi-slice. + +Signed-off-by: Stanislaw Gruszka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/myri10ge/myri10ge.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/myri10ge/myri10ge.c ++++ b/drivers/net/myri10ge/myri10ge.c +@@ -2446,6 +2446,7 @@ static int myri10ge_open(struct net_devi + lro_mgr->lro_arr = ss->rx_done.lro_desc; + lro_mgr->get_frag_header = myri10ge_get_frag_header; + lro_mgr->max_aggr = myri10ge_lro_max_pkts; ++ lro_mgr->frag_align_pad = 2; + if (lro_mgr->max_aggr > MAX_SKB_FRAGS) + lro_mgr->max_aggr = MAX_SKB_FRAGS; + + + +From greg@blue.kroah.org Tue Jun 9 02:40:54 2009 +Message-Id: <20090609094054.619326056@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Patrick McHardy , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 11/87] vlan/macvlan: fix NULL pointer dereferences in ethtool handlers +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=vlan-macvlan-fix-null-pointer-dereferences-in-ethtool-handlers.patch +Content-Length: 2155 +Lines: 61 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Patrick McHardy + +[ Upstream commit 7816a0a862d851d0b05710e7d94bfe390f3180e2 ] + +Check whether the underlying device provides a set of ethtool ops before +checking for individual handlers to avoid NULL pointer dereferences. + +Reported-by: Art van Breemen +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 9 ++++++--- + net/8021q/vlan_dev.c | 3 ++- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -329,7 +329,8 @@ static u32 macvlan_ethtool_get_rx_csum(s + const struct macvlan_dev *vlan = netdev_priv(dev); + struct net_device *lowerdev = vlan->lowerdev; + +- if (lowerdev->ethtool_ops->get_rx_csum == NULL) ++ if (lowerdev->ethtool_ops == NULL || ++ lowerdev->ethtool_ops->get_rx_csum == NULL) + return 0; + return lowerdev->ethtool_ops->get_rx_csum(lowerdev); + } +@@ -340,7 +341,8 @@ static int macvlan_ethtool_get_settings( + const struct macvlan_dev *vlan = netdev_priv(dev); + struct net_device *lowerdev = vlan->lowerdev; + +- if (!lowerdev->ethtool_ops->get_settings) ++ if (!lowerdev->ethtool_ops || ++ !lowerdev->ethtool_ops->get_settings) + return -EOPNOTSUPP; + + return lowerdev->ethtool_ops->get_settings(lowerdev, cmd); +@@ -351,7 +353,8 @@ static u32 macvlan_ethtool_get_flags(str + const struct macvlan_dev *vlan = netdev_priv(dev); + struct net_device *lowerdev = vlan->lowerdev; + +- if (!lowerdev->ethtool_ops->get_flags) ++ if (!lowerdev->ethtool_ops || ++ !lowerdev->ethtool_ops->get_flags) + return 0; + return lowerdev->ethtool_ops->get_flags(lowerdev); + } +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -668,7 +668,8 @@ static int vlan_ethtool_get_settings(str + const struct vlan_dev_info *vlan = vlan_dev_info(dev); + struct net_device *real_dev = vlan->real_dev; + +- if (!real_dev->ethtool_ops->get_settings) ++ if (!real_dev->ethtool_ops || ++ !real_dev->ethtool_ops->get_settings) + return -EOPNOTSUPP; + + return real_dev->ethtool_ops->get_settings(real_dev, cmd); + + +From greg@blue.kroah.org Tue Jun 9 02:40:55 2009 +Message-Id: <20090609094054.855388660@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Finn Thain , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 12/87] mac8390: fix regression caused during net_device_ops conversion +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mac8390-fix-regression-caused-during-net_device_ops-conversion.patch +Content-Length: 2106 +Lines: 59 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Finn Thain + +[ Upstream commit 217cbfa856dc1cbc2890781626c4032d9e3ec59f ] + +Changeset ca17584bf2ad1b1e37a5c0e4386728cc5fc9dabc ("mac8390: update +to net_device_ops") broke mac8390 by adding 8390.o to the link. That +meant that lib8390.c was included twice, once in mac8390.c and once in +8390.c, subject to different macros. This patch reverts that by +avoiding the wrappers in 8390.c. They seem to be of no value since +COMPAT_NET_DEV_OPS is going away soon. + +Tested with a Kinetics EtherPort card. + +Signed-off-by: Finn Thain +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/Makefile | 2 +- + drivers/net/mac8390.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/mac8390.c ++++ b/drivers/net/mac8390.c +@@ -304,7 +304,7 @@ struct net_device * __init mac8390_probe + if (!MACH_IS_MAC) + return ERR_PTR(-ENODEV); + +- dev = alloc_ei_netdev(); ++ dev = ____alloc_ei_netdev(0); + if (!dev) + return ERR_PTR(-ENOMEM); + +@@ -481,10 +481,10 @@ void cleanup_module(void) + static const struct net_device_ops mac8390_netdev_ops = { + .ndo_open = mac8390_open, + .ndo_stop = mac8390_close, +- .ndo_start_xmit = ei_start_xmit, +- .ndo_tx_timeout = ei_tx_timeout, +- .ndo_get_stats = ei_get_stats, +- .ndo_set_multicast_list = ei_set_multicast_list, ++ .ndo_start_xmit = __ei_start_xmit, ++ .ndo_tx_timeout = __ei_tx_timeout, ++ .ndo_get_stats = __ei_get_stats, ++ .ndo_set_multicast_list = __ei_set_multicast_list, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = eth_mac_addr, + .ndo_change_mtu = eth_change_mtu, +--- a/drivers/net/Makefile ++++ b/drivers/net/Makefile +@@ -100,7 +100,7 @@ obj-$(CONFIG_HAMACHI) += hamachi.o + obj-$(CONFIG_NET) += Space.o loopback.o + obj-$(CONFIG_SEEQ8005) += seeq8005.o + obj-$(CONFIG_NET_SB1000) += sb1000.o +-obj-$(CONFIG_MAC8390) += mac8390.o 8390.o ++obj-$(CONFIG_MAC8390) += mac8390.o + obj-$(CONFIG_APNE) += apne.o 8390.o + obj-$(CONFIG_PCMCIA_PCNET) += 8390.o + obj-$(CONFIG_HP100) += hp100.o + + +From greg@blue.kroah.org Tue Jun 9 02:40:55 2009 +Message-Id: <20090609094055.080659270@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jay Vosburgh , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 13/87] bonding: fix alb mode locking regression +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=bonding-fix-alb-mode-locking-regression.patch +Content-Length: 1623 +Lines: 51 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jay Vosburgh + +[ Upstream commit 815bcc2719c12b6f5b511706e2d19728e07f0b02 ] + +Fix locking issue in alb MAC address management; removed +incorrect locking and replaced with correct locking. This bug was +introduced in commit 059fe7a578fba5bbb0fdc0365bfcf6218fa25eb0 +("bonding: Convert locks to _bh, rework alb locking for new locking") + + Bug reported by Paul Smith , who also +tested the fix. + +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1739,9 +1739,6 @@ int bond_alb_set_mac_address(struct net_ + } + } + +- write_unlock_bh(&bond->curr_slave_lock); +- read_unlock(&bond->lock); +- + if (swap_slave) { + alb_swap_mac_addr(bond, swap_slave, bond->curr_active_slave); + alb_fasten_mac_swap(bond, swap_slave, bond->curr_active_slave); +@@ -1749,16 +1746,15 @@ int bond_alb_set_mac_address(struct net_ + alb_set_slave_mac_addr(bond->curr_active_slave, bond_dev->dev_addr, + bond->alb_info.rlb_enabled); + ++ read_lock(&bond->lock); + alb_send_learning_packets(bond->curr_active_slave, bond_dev->dev_addr); + if (bond->alb_info.rlb_enabled) { + /* inform clients mac address has changed */ + rlb_req_update_slave_clients(bond, bond->curr_active_slave); + } ++ read_unlock(&bond->lock); + } + +- read_lock(&bond->lock); +- write_lock_bh(&bond->curr_slave_lock); +- + return 0; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:40:55 2009 +Message-Id: <20090609094055.307662062@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jay Vosburgh , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 14/87] bonding: Remove debug printk +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=bonding-remove-debug-printk.patch +Content-Length: 1078 +Lines: 33 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jay Vosburgh + +[ Upstream commit 2690f8d62e98779c71625dba9a0fd525d8b2263d ] + + Remove debug printk I accidently left in as part of commit: + +commit 6146b1a4da98377e4abddc91ba5856bef8f23f1e +Author: Jay Vosburgh +Date: Tue Nov 4 17:51:15 2008 -0800 + + bonding: Fix ALB mode to balance traffic on VLANs + + Reported by Duncan Gibb + +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -370,8 +370,6 @@ static int rlb_arp_recv(struct sk_buff * + + if (arp->op_code == htons(ARPOP_REPLY)) { + /* update rx hash table for this ARP */ +- printk("rar: update orig %s bond_dev %s\n", orig_dev->name, +- bond_dev->name); + bond = netdev_priv(bond_dev); + rlb_update_entry_from_arp(bond, arp); + pr_debug("Server received an ARP Reply from client\n"); + + +From greg@blue.kroah.org Tue Jun 9 02:40:55 2009 +Message-Id: <20090609094055.531841123@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Dillow , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 15/87] r8169: avoid losing MSI interrupts +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=r8169-avoid-losing-msi-interrupts.patch +Content-Length: 4848 +Lines: 155 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Michael Buesch + +[ Upstream commit f11a377b3f4e897d11f0e8d1fc688667e2f19708 ] + +The 8169 chip only generates MSI interrupts when all enabled event +sources are quiescent and one or more sources transition to active. If +not all of the active events are acknowledged, or a new event becomes +active while the existing ones are cleared in the handler, we will not +see a new interrupt. + +The current interrupt handler masks off the Rx and Tx events once the +NAPI handler has been scheduled, which opens a race window in which we +can get another Rx or Tx event and never ACK'ing it, stopping all +activity until the link is reset (ifconfig down/up). Fix this by always +ACK'ing all event sources, and loop in the handler until we have all +sources quiescent. + +Signed-off-by: David Dillow +Tested-by: Michael Buesch +Tested-by: Michael Riepe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/r8169.c | 102 +++++++++++++++++++++++++++++----------------------- + 1 file changed, 57 insertions(+), 45 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -3554,54 +3554,64 @@ static irqreturn_t rtl8169_interrupt(int + int handled = 0; + int status; + ++ /* loop handling interrupts until we have no new ones or ++ * we hit a invalid/hotplug case. ++ */ + status = RTL_R16(IntrStatus); ++ while (status && status != 0xffff) { ++ handled = 1; + +- /* hotplug/major error/no more work/shared irq */ +- if ((status == 0xffff) || !status) +- goto out; +- +- handled = 1; ++ /* Handle all of the error cases first. These will reset ++ * the chip, so just exit the loop. ++ */ ++ if (unlikely(!netif_running(dev))) { ++ rtl8169_asic_down(ioaddr); ++ break; ++ } + +- if (unlikely(!netif_running(dev))) { +- rtl8169_asic_down(ioaddr); +- goto out; +- } ++ /* Work around for rx fifo overflow */ ++ if (unlikely(status & RxFIFOOver) && ++ (tp->mac_version == RTL_GIGA_MAC_VER_11)) { ++ netif_stop_queue(dev); ++ rtl8169_tx_timeout(dev); ++ break; ++ } + +- status &= tp->intr_mask; +- RTL_W16(IntrStatus, +- (status & RxFIFOOver) ? (status | RxOverflow) : status); ++ if (unlikely(status & SYSErr)) { ++ rtl8169_pcierr_interrupt(dev); ++ break; ++ } + +- if (!(status & tp->intr_event)) +- goto out; ++ if (status & LinkChg) ++ rtl8169_check_link_status(dev, tp, ioaddr); + +- /* Work around for rx fifo overflow */ +- if (unlikely(status & RxFIFOOver) && +- (tp->mac_version == RTL_GIGA_MAC_VER_11)) { +- netif_stop_queue(dev); +- rtl8169_tx_timeout(dev); +- goto out; +- } ++ /* We need to see the lastest version of tp->intr_mask to ++ * avoid ignoring an MSI interrupt and having to wait for ++ * another event which may never come. ++ */ ++ smp_rmb(); ++ if (status & tp->intr_mask & tp->napi_event) { ++ RTL_W16(IntrMask, tp->intr_event & ~tp->napi_event); ++ tp->intr_mask = ~tp->napi_event; ++ ++ if (likely(netif_rx_schedule_prep(&tp->napi))) ++ __netif_rx_schedule(&tp->napi); ++ else if (netif_msg_intr(tp)) { ++ printk(KERN_INFO "%s: interrupt %04x in poll\n", ++ dev->name, status); ++ } ++ } + +- if (unlikely(status & SYSErr)) { +- rtl8169_pcierr_interrupt(dev); +- goto out; ++ /* We only get a new MSI interrupt when all active irq ++ * sources on the chip have been acknowledged. So, ack ++ * everything we've seen and check if new sources have become ++ * active to avoid blocking all interrupts from the chip. ++ */ ++ RTL_W16(IntrStatus, ++ (status & RxFIFOOver) ? (status | RxOverflow) : status); ++ status = RTL_R16(IntrStatus); + } + +- if (status & LinkChg) +- rtl8169_check_link_status(dev, tp, ioaddr); +- +- if (status & tp->napi_event) { +- RTL_W16(IntrMask, tp->intr_event & ~tp->napi_event); +- tp->intr_mask = ~tp->napi_event; +- +- if (likely(netif_rx_schedule_prep(&tp->napi))) +- __netif_rx_schedule(&tp->napi); +- else if (netif_msg_intr(tp)) { +- printk(KERN_INFO "%s: interrupt %04x in poll\n", +- dev->name, status); +- } +- } +-out: + return IRQ_RETVAL(handled); + } + +@@ -3617,13 +3627,15 @@ static int rtl8169_poll(struct napi_stru + + if (work_done < budget) { + netif_rx_complete(napi); +- tp->intr_mask = 0xffff; +- /* +- * 20040426: the barrier is not strictly required but the +- * behavior of the irq handler could be less predictable +- * without it. Btw, the lack of flush for the posted pci +- * write is safe - FR ++ ++ /* We need for force the visibility of tp->intr_mask ++ * for other CPUs, as we can loose an MSI interrupt ++ * and potentially wait for a retransmit timeout if we don't. ++ * The posted write to IntrMask is safe, as it will ++ * eventually make it to the chip and we won't loose anything ++ * until it does. + */ ++ tp->intr_mask = 0xffff; + smp_wmb(); + RTL_W16(IntrMask, tp->intr_event); + } + + +From greg@blue.kroah.org Tue Jun 9 02:40:55 2009 +Message-Id: <20090609094055.769975008@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 16/87] sparc: Fix bus type probing for ESP and LE devices. +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=sparc-fix-bus-type-probing-for-esp-and-le-devices.patch +Content-Length: 2749 +Lines: 89 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David S. Miller + +[ Upstream commit 956d039a2537cf79ca608450d36cc70e0e515482 ] + +If there is a dummy "espdma" or "ledma" parent device above ESP scsi +or LE ethernet device nodes, we have to match the bus as SBUS. + +Otherwise the address and size cell counts are wrong and we don't +calculate the final physical device resource values correctly at all. + +Commit 5280267c1dddb8d413595b87dc406624bb497946 ("sparc: Fix handling +of LANCE and ESP parent nodes in of_device.c") was meant to fix this +problem, but that only influences the inner loop of +build_device_resources(). We need this logic to also kick in at the +beginning of build_device_resources() as well, when we make the first +attempt to determine the device's immediate parent bus type for 'reg' +property element extraction. + +Based almost entirely upon a patch by Friedrich Oslage. + +Tested-by: Meelis Roos +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/of_device_32.c | 21 +++++++++++++++++++-- + arch/sparc/kernel/of_device_64.c | 21 +++++++++++++++++++-- + 2 files changed, 38 insertions(+), 4 deletions(-) + +--- a/arch/sparc/kernel/of_device_32.c ++++ b/arch/sparc/kernel/of_device_32.c +@@ -246,8 +246,25 @@ static unsigned long of_bus_pci_get_flag + + static int of_bus_sbus_match(struct device_node *np) + { +- return !strcmp(np->name, "sbus") || +- !strcmp(np->name, "sbi"); ++ struct device_node *dp = np; ++ ++ while (dp) { ++ if (!strcmp(dp->name, "sbus") || ++ !strcmp(dp->name, "sbi")) ++ return 1; ++ ++ /* Have a look at use_1to1_mapping(). We're trying ++ * to match SBUS if that's the top-level bus and we ++ * don't have some intervening real bus that provides ++ * ranges based translations. ++ */ ++ if (of_find_property(dp, "ranges", NULL) != NULL) ++ break; ++ ++ dp = dp->parent; ++ } ++ ++ return 0; + } + + static void of_bus_sbus_count_cells(struct device_node *child, +--- a/arch/sparc/kernel/of_device_64.c ++++ b/arch/sparc/kernel/of_device_64.c +@@ -301,8 +301,25 @@ static unsigned long of_bus_pci_get_flag + + static int of_bus_sbus_match(struct device_node *np) + { +- return !strcmp(np->name, "sbus") || +- !strcmp(np->name, "sbi"); ++ struct device_node *dp = np; ++ ++ while (dp) { ++ if (!strcmp(dp->name, "sbus") || ++ !strcmp(dp->name, "sbi")) ++ return 1; ++ ++ /* Have a look at use_1to1_mapping(). We're trying ++ * to match SBUS if that's the top-level bus and we ++ * don't have some intervening real bus that provides ++ * ranges based translations. ++ */ ++ if (of_find_property(dp, "ranges", NULL) != NULL) ++ break; ++ ++ dp = dp->parent; ++ } ++ ++ return 0; + } + + static void of_bus_sbus_count_cells(struct device_node *child, + + +From greg@blue.kroah.org Tue Jun 9 02:40:56 2009 +Message-Id: <20090609094055.995419174@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 17/87] sparc64: Fix smp_callin() locking. +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=sparc64-fix-smp_callin-locking.patch +Content-Length: 803 +Lines: 30 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David S. Miller + +[ Upstream commit 8e255baa449df3049a8827a7f1f4f12b6921d0d1 ] + +Interrupts must be disabled when taking the IPI lock. + +Caught by lockdep. + +Reported-by: Meelis Roos +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/smp_64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -118,9 +118,9 @@ void __cpuinit smp_callin(void) + while (!cpu_isset(cpuid, smp_commenced_mask)) + rmb(); + +- ipi_call_lock(); ++ ipi_call_lock_irq(); + cpu_set(cpuid, cpu_online_map); +- ipi_call_unlock(); ++ ipi_call_unlock_irq(); + + /* idle thread is expected to have preempt disabled */ + preempt_disable(); + + +From greg@blue.kroah.org Tue Jun 9 02:40:56 2009 +Message-Id: <20090609094056.238393901@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-mm@kvack.org, + Matt Mackall , + Christoph Lameter , + Nick Piggin , + Pekka Enberg , + Greg Kroah-Hartman +Subject: [patch 18/87] mm: SLUB fix reclaim_state +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mm-slub-fix-reclaim_state.patch +Content-Length: 997 +Lines: 38 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Nick Piggin + +commit 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f upstream. + +SLUB does not correctly account reclaim_state.reclaimed_slab, so it will +break memory reclaim. Account it like SLAB does. + +Cc: linux-mm@kvack.org +Cc: Matt Mackall +Acked-by: Christoph Lameter +Signed-off-by: Nick Piggin +Signed-off-by: Pekka Enberg +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include /* struct reclaim_state */ + #include + #include + #include +@@ -1175,6 +1176,8 @@ static void __free_slab(struct kmem_cach + + __ClearPageSlab(page); + reset_page_mapcount(page); ++ if (current->reclaim_state) ++ current->reclaim_state->reclaimed_slab += pages; + __free_pages(page, order); + } + + + +From greg@blue.kroah.org Tue Jun 9 02:40:56 2009 +Message-Id: <20090609094056.465155618@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Woodhouse , + Greg Kroah-Hartman +Subject: [patch 19/87] Fix oops on close of hot-unplugged FTDI serial converter +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch +Content-Length: 1819 +Lines: 53 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Woodhouse + +commit 80193195f87ebca6d7417516d6edeb3969631c15 upstream. + +Commit c45d6320 ("fix reference counting of ftdi_private") stopped +ftdi_sio_port_remove() from directly freeing the port-private data, with +the intention if the port was still open, it would be freed when +ftdi_close() is eventually called and releases the last refcount on the +structure. + +That's all very well, but ftdi_sio_port_remove() still contains a call +to usb_set_serial_port_data(port, NULL) -- so by the time we get to +ftdi_close() for the port which was unplugged, it _still_ oopses on +dereferencing that NULL pointer, as it did before (and does in 2.6.29). + +The fix is just not to clear the private data in ftdi_sio_port_remove(). +Then the refcount is properly reduced to zero when the final kref_put() +happens in ftdi_close(). + +Remove a bogus comment too, while we're at it. And stop doing things +inside "if (priv)" -- it must _always_ be there. + +Based loosely on an earlier patch by Daniel Mack, and suggestions by +Alan Stern. + +Signed-off-by: David Woodhouse +Tested-by: Daniel Mack +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1485,14 +1485,7 @@ static int ftdi_sio_port_remove(struct u + + remove_sysfs_attrs(port); + +- /* all open ports are closed at this point +- * (by usbserial.c:__serial_close, which calls ftdi_close) +- */ +- +- if (priv) { +- usb_set_serial_port_data(port, NULL); +- kref_put(&priv->kref, ftdi_sio_priv_release); +- } ++ kref_put(&priv->kref, ftdi_sio_priv_release); + + return 0; + } + + +From greg@blue.kroah.org Tue Jun 9 02:40:56 2009 +Message-Id: <20090609094056.699126694@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Inaky Perez-Gonzalez , + Greg Kroah-Hartman +Subject: [patch 20/87] wimax: fix oops if netlink fails to add attribute +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=wimax-fix-oops-if-netlink-fails-to-add-attribute.patch +Content-Length: 1393 +Lines: 44 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Inaky Perez-Gonzalez + +commit d1a2627a29667fe7c4a9d06e1579a2d65bd39bba upstream. + +When sending a message to user space using wimax_msg(), if nla_put() +fails, correctly interpret the return code from wimax_msg_alloc() as +an err ptr and return the error code instead of crashing (as it is +assuming than non-NULL means the pointer is ok). + +Signed-off-by: Inaky Perez-Gonzalez +Signed-off-by: Greg Kroah-Hartman + +--- + net/wimax/op-msg.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/wimax/op-msg.c ++++ b/net/wimax/op-msg.c +@@ -149,7 +149,8 @@ struct sk_buff *wimax_msg_alloc(struct w + } + result = nla_put(skb, WIMAX_GNL_MSG_DATA, size, msg); + if (result < 0) { +- dev_err(dev, "no memory to add payload in attribute\n"); ++ dev_err(dev, "no memory to add payload (msg %p size %zu) in " ++ "attribute: %d\n", msg, size, result); + goto error_nla_put; + } + genlmsg_end(skb, genl_msg); +@@ -302,10 +303,10 @@ int wimax_msg(struct wimax_dev *wimax_de + struct sk_buff *skb; + + skb = wimax_msg_alloc(wimax_dev, pipe_name, buf, size, gfp_flags); +- if (skb == NULL) +- goto error_msg_new; +- result = wimax_msg_send(wimax_dev, skb); +-error_msg_new: ++ if (IS_ERR(skb)) ++ result = PTR_ERR(skb); ++ else ++ result = wimax_msg_send(wimax_dev, skb); + return result; + } + EXPORT_SYMBOL_GPL(wimax_msg); + + +From greg@blue.kroah.org Tue Jun 9 02:40:57 2009 +Message-Id: <20090609094056.925934429@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Frank Filz , + Trond Myklebust , + Greg Kroah-Hartman +Subject: [patch 21/87] nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission. +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch +Content-Length: 1151 +Lines: 38 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Frank Filz + +commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd upstream. + +The problem is that permission checking is skipped if atomic open is +possible, but when exec opens a file, it just opens it O_READONLY which +means EXEC permission will not be checked at that time. + +This problem is observed by the following sequence (executed as root): + + mount -t nfs4 server:/ /mnt4 + echo "ls" >/mnt4/foo + chmod 744 /mnt4/foo + su guest -c "mnt4/foo" + +Signed-off-by: Frank Filz +Signed-off-by: Trond Myklebust +Tested-by: Eugene Teo +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1943,7 +1943,8 @@ int nfs_permission(struct inode *inode, + case S_IFREG: + /* NFSv4 has atomic_open... */ + if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN) +- && (mask & MAY_OPEN)) ++ && (mask & MAY_OPEN) ++ && !(mask & MAY_EXEC)) + goto out; + break; + case S_IFDIR: + + +From greg@blue.kroah.org Tue Jun 9 02:40:57 2009 +Message-Id: <20090609094057.155281670@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Gleixner , + Greg Kroah-Hartman +Subject: [patch 22/87] futex: setup writeable mapping for futex ops which modify user space data +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch +Content-Length: 4436 +Lines: 130 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Thomas Gleixner + +commit 64d1304a64477629cb16b75491a77bafe6f86963 upstream. + +The futex code installs a read only mapping via get_user_pages_fast() +even if the futex op function has to modify user space data. The +eventual fault was fixed up by futex_handle_fault() which walked the +VMA with mmap_sem held. + +After the cleanup patches which removed the mmap_sem dependency of the +futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex: +clean up fault logic) removed the private VMA walk logic from the +futex code. This change results in a stale RO mapping which is not +fixed up. + +Instead of reintroducing the previous fault logic we set up the +mapping in get_user_pages_fast() read/write for all operations which +modify user space data. Also handle private futexes in the same way +and make the current unconditional access_ok(VERIFY_WRITE) depend on +the futex op. + +Reported-by: Andreas Schwab +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -192,6 +192,7 @@ static void drop_futex_key_refs(union fu + * @shared: NULL for a PROCESS_PRIVATE futex, + * ¤t->mm->mmap_sem for a PROCESS_SHARED futex + * @key: address where result is stored. ++ * @rw: mapping needs to be read/write (values: VERIFY_READ, VERIFY_WRITE) + * + * Returns a negative error code or 0 + * The key words are stored in *key on success. +@@ -204,7 +205,8 @@ static void drop_futex_key_refs(union fu + * For other futexes, it points to ¤t->mm->mmap_sem and + * caller must have taken the reader lock. but NOT any spinlocks. + */ +-static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key) ++static int ++get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) + { + unsigned long address = (unsigned long)uaddr; + struct mm_struct *mm = current->mm; +@@ -227,7 +229,7 @@ static int get_futex_key(u32 __user *uad + * but access_ok() should be faster than find_vma() + */ + if (!fshared) { +- if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))) ++ if (unlikely(!access_ok(rw, uaddr, sizeof(u32)))) + return -EFAULT; + key->private.mm = mm; + key->private.address = address; +@@ -236,7 +238,7 @@ static int get_futex_key(u32 __user *uad + } + + again: +- err = get_user_pages_fast(address, 1, 0, &page); ++ err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page); + if (err < 0) + return err; + +@@ -707,7 +709,7 @@ static int futex_wake(u32 __user *uaddr, + if (!bitset) + return -EINVAL; + +- ret = get_futex_key(uaddr, fshared, &key); ++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; + +@@ -753,10 +755,10 @@ futex_wake_op(u32 __user *uaddr1, int fs + int ret, op_ret, attempt = 0; + + retryfull: +- ret = get_futex_key(uaddr1, fshared, &key1); ++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; +- ret = get_futex_key(uaddr2, fshared, &key2); ++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out_put_key1; + +@@ -859,10 +861,10 @@ static int futex_requeue(u32 __user *uad + int ret, drop_count = 0; + + retry: +- ret = get_futex_key(uaddr1, fshared, &key1); ++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; +- ret = get_futex_key(uaddr2, fshared, &key2); ++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out_put_key1; + +@@ -1181,7 +1183,7 @@ static int futex_wait(u32 __user *uaddr, + q.bitset = bitset; + retry: + q.key = FUTEX_KEY_INIT; +- ret = get_futex_key(uaddr, fshared, &q.key); ++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; + +@@ -1370,7 +1372,7 @@ static int futex_lock_pi(u32 __user *uad + q.pi_state = NULL; + retry: + q.key = FUTEX_KEY_INIT; +- ret = get_futex_key(uaddr, fshared, &q.key); ++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out; + +@@ -1630,7 +1632,7 @@ retry: + if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current)) + return -EPERM; + +- ret = get_futex_key(uaddr, fshared, &key); ++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out; + + + +From greg@blue.kroah.org Tue Jun 9 02:40:57 2009 +Message-Id: <20090609094057.382414792@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ian Campbell , + Jeremy Fitzhardinge , + Jens Axboe , + Greg Kroah-Hartman +Subject: [patch 23/87] xen/blkfront: allow xenbus state transition to Closing->Closed when not Connected +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch +Content-Length: 1184 +Lines: 35 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ian Campbell + +commit 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 upstream. + +This situation can occur when attempting to attach a block device whose +backend is an empty physical CD-ROM driver. The backend in this case +will go directly from the Initialising state to Closing->Closed. +Previously this would result in a NULL pointer deref on info->gd +(xenbus_dev_fatal does not return as a1a15ac5 seems to expect) + +Signed-off-by: Ian Campbell +Acked-by: Jeremy Fitzhardinge +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -977,8 +977,10 @@ static void backend_changed(struct xenbu + break; + + case XenbusStateClosing: +- if (info->gd == NULL) +- xenbus_dev_fatal(dev, -ENODEV, "gd is NULL"); ++ if (info->gd == NULL) { ++ xenbus_frontend_closed(dev); ++ break; ++ } + bd = bdget_disk(info->gd, 0); + if (bd == NULL) + xenbus_dev_fatal(dev, -ENODEV, "bdget failed"); + + +From greg@blue.kroah.org Tue Jun 9 02:40:57 2009 +Message-Id: <20090609094057.608145863@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Paris , + James Morris , + Greg Kroah-Hartman +Subject: [patch 24/87] TPM: get_event_name stack corruption +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=tpm-get_event_name-stack-corruption.patch +Content-Length: 1148 +Lines: 32 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eric Paris + +commit fbaa58696cef848de818768783ef185bd3f05158 upstream. + +get_event_name uses sprintf to fill a buffer declared on the stack. It fills +the buffer 2 bytes at a time. What the code doesn't take into account is that +sprintf(buf, "%02x", data) actually writes 3 bytes. 2 bytes for the data and +then it nul terminates the string. Since we declare buf to be 40 characters +long and then we write 40 bytes of data into buf sprintf is going to write 41 +characters. The fix is to leave room in buf for the nul terminator. + +Signed-off-by: Eric Paris +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_bios.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_bios.c ++++ b/drivers/char/tpm/tpm_bios.c +@@ -212,7 +212,8 @@ static int get_event_name(char *dest, st + unsigned char * event_entry) + { + const char *name = ""; +- char data[40] = ""; ++ /* 41 so there is room for 40 data and 1 nul */ ++ char data[41] = ""; + int i, n_len = 0, d_len = 0; + struct tcpa_pc_event *pc_event; + + + +From greg@blue.kroah.org Tue Jun 9 02:40:58 2009 +Message-Id: <20090609094057.846111783@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Breno Leitao , + Greg Kroah-Hartman +Subject: [patch 25/87] icom: fix rmmod crash +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=icom-fix-rmmod-crash.patch +Content-Length: 2151 +Lines: 49 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Breno Leitao + +commit 95caa0a9bdaf93607bd0cc8932f53112496f2f22 upstream. + +Actually the icom driver is crashing when is being removed because +the driver is kfreeing the adapter structure before calling +pci_release_regions(), which result in the following error: + + Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6d33 + Faulting instruction address: 0xc000000000246b80 + Oops: Kernel access of bad area, sig: 11 [#1] + .... + [c000000012d436a0] [c0000000001002d0] .kfree+0x120/0x34c (unreliable) + [c000000012d43730] [c000000000246d60] .pci_release_selected_regions+0x3c/0x68 + [c000000012d437c0] [d000000002d54700] .icom_kref_release+0xf4/0x118 [icom] + [c000000012d43850] [c000000000232e50] .kref_put+0x74/0x94 + [c000000012d438d0] [d000000002d56c58] .icom_remove+0x40/0xa4 [icom] + [c000000012d43960] [c000000000249e48] .pci_device_remove+0x50/0x90 + [c000000012d439e0] [c0000000002d68d8] .__device_release_driver+0x94/0xd4 + [c000000012d43a70] [c0000000002d7104] .driver_detach+0xf8/0x12c + [c000000012d43b00] [c0000000002d549c] .bus_remove_driver+0xbc/0x11c + [c000000012d43b90] [c0000000002d71dc] .driver_unregister+0x60/0x80 + [c000000012d43c20] [c00000000024a07c] .pci_unregister_driver+0x44/0xe8 + [c000000012d43cb0] [d000000002d56bf4] .icom_exit+0x1c/0x40 [icom] + [c000000012d43d30] [c000000000095fa8] .SyS_delete_module+0x214/0x2a8 + [c000000012d43e30] [c00000000000852c] syscall_exit+0x0/0x40 + +Signed-off-by: Breno Leitao +Cc: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/icom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/icom.c ++++ b/drivers/serial/icom.c +@@ -1482,8 +1482,8 @@ static void icom_remove_adapter(struct i + + free_irq(icom_adapter->pci_dev->irq, (void *) icom_adapter); + iounmap(icom_adapter->base_addr); +- icom_free_adapter(icom_adapter); + pci_release_regions(icom_adapter->pci_dev); ++ icom_free_adapter(icom_adapter); + } + + static void icom_kref_release(struct kref *kref) + + +From greg@blue.kroah.org Tue Jun 9 02:40:58 2009 +Message-Id: <20090609094058.091815716@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Greg Kroah-Hartman +Subject: [patch 26/87] KVM: Make paravirt tlb flush also reload the PAE PDPTRs +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch +Content-Length: 846 +Lines: 29 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Avi Kivity + +commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb upstream. + +The paravirt tlb flush may be used not only to flush TLBs, but also +to reload the four page-directory-pointer-table entries, as it is used +as a replacement for reloading CR3. Change the code to do the entire +CR3 reloading dance instead of simply flushing the TLB. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2906,8 +2906,7 @@ static int kvm_pv_mmu_write(struct kvm_v + + static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu) + { +- kvm_x86_ops->tlb_flush(vcpu); +- set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests); ++ kvm_set_cr3(vcpu, vcpu->arch.cr3); + return 1; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:40:58 2009 +Message-Id: <20090609094058.315161689@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Greg Kroah-Hartman +Subject: [patch 27/87] KVM: Fix PDPTR reloading on CR4 writes +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=kvm-fix-pdptr-reloading-on-cr4-writes.patch +Content-Length: 1607 +Lines: 45 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Avi Kivity + +commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 upstream. + +The processor is documented to reload the PDPTRs while in PAE mode if any +of the CR4 bits PSE, PGE, or PAE change. Linux relies on this +behaviour when zapping the low mappings of PAE kernels during boot. + +The code already handled changes to CR4.PAE; augment it to also notice changes +to PSE and PGE. + +This triggered while booting an F11 PAE kernel; the futex initialization code +runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem +ended up uninitialized, killing PI futexes and pulseaudio which uses them. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -334,6 +334,9 @@ EXPORT_SYMBOL_GPL(kvm_lmsw); + + void kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { ++ unsigned long old_cr4 = vcpu->arch.cr4; ++ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE; ++ + if (cr4 & CR4_RESERVED_BITS) { + printk(KERN_DEBUG "set_cr4: #GP, reserved bits\n"); + kvm_inject_gp(vcpu, 0); +@@ -347,7 +350,8 @@ void kvm_set_cr4(struct kvm_vcpu *vcpu, + kvm_inject_gp(vcpu, 0); + return; + } +- } else if (is_paging(vcpu) && !is_pae(vcpu) && (cr4 & X86_CR4_PAE) ++ } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) ++ && ((cr4 ^ old_cr4) & pdptr_bits) + && !load_pdptrs(vcpu, vcpu->arch.cr3)) { + printk(KERN_DEBUG "set_cr4: #GP, pdptrs reserved bits\n"); + kvm_inject_gp(vcpu, 0); + + +From greg@blue.kroah.org Tue Jun 9 02:40:58 2009 +Message-Id: <20090609094058.539735772@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Luis R. Rodriguez" , + "John W. Linville" , + Greg Kroah-Hartman +Subject: [patch 28/87] cfg80211: fix race between core hint and drivers custom apply +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch +Content-Length: 1107 +Lines: 38 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Luis R. Rodriguez + +commit 5078b2e32ad4b1f753b1c837c15892202f753c97 upstream. + +Its possible for cfg80211 to have scheduled the work and for +the global workqueue to not have kicked in prior to a cfg80211 +driver's regulatory hint or wiphy_apply_custom_regulatory(). + +Although this is very unlikely its possible and should fix +this race. When this race would happen you are expected to have +hit a null pointer dereference panic. + +Signed-off-by: Luis R. Rodriguez +Tested-by: Alan Jenkins +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1497,6 +1497,13 @@ int regulatory_init(void) + "using static definition\n"); + #endif + ++ /* ++ * This ensures last_request is populated once modules ++ * come swinging in and calling regulatory hints and ++ * wiphy_apply_custom_regulatory(). ++ */ ++ flush_scheduled_work(); ++ + return 0; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:40:58 2009 +Message-Id: <20090609094058.773848825@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dave Airlie , + Venkatesh Pallipadi , + Greg Kroah-Hartman +Subject: [patch 29/87] drm/r128: fix r128 ioremaps to use ioremap_wc. +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch +Content-Length: 1037 +Lines: 32 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Dave Airlie + +commit 42beefc0093725ec0f8cea340cc54c36ccaceea0 upstream. + +This should allow r128 to start working again since PAT changes. + +taken from F-11 kernel. + +Signed-off-by: Dave Airlie +Cc: Venkatesh Pallipadi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/r128/r128_cce.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/r128/r128_cce.c ++++ b/drivers/gpu/drm/r128/r128_cce.c +@@ -511,9 +511,9 @@ static int r128_do_init_cce(struct drm_d + + #if __OS_HAS_AGP + if (!dev_priv->is_pci) { +- drm_core_ioremap(dev_priv->cce_ring, dev); +- drm_core_ioremap(dev_priv->ring_rptr, dev); +- drm_core_ioremap(dev->agp_buffer_map, dev); ++ drm_core_ioremap_wc(dev_priv->cce_ring, dev); ++ drm_core_ioremap_wc(dev_priv->ring_rptr, dev); ++ drm_core_ioremap_wc(dev->agp_buffer_map, dev); + if (!dev_priv->cce_ring->handle || + !dev_priv->ring_rptr->handle || + !dev->agp_buffer_map->handle) { + + +From greg@blue.kroah.org Tue Jun 9 02:40:59 2009 +Message-Id: <20090609094059.003720718@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Roel Kluin , + Wolfram Sang , + Grant Likely , + Benjamin Herrenschmidt , + Greg Kroah-Hartman +Subject: [patch 30/87] drivers/serial/mpc52xx_uart.c: fix array overindexing check +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch +Content-Length: 1114 +Lines: 32 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Roel Kluin + +commit b898f4f869da5b9d41f297fff87aca4cd42d80b3 upstream. + +The check for an overindexing of mpc52xx_uart_{ports,nodes} has an +off-by-one. + +Signed-off-by: Roel Kluin +Acked-by: Wolfram Sang +Acked-by: Grant Likely +Cc: Benjamin Herrenschmidt +Cc: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/mpc52xx_uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/mpc52xx_uart.c ++++ b/drivers/serial/mpc52xx_uart.c +@@ -988,7 +988,7 @@ mpc52xx_console_setup(struct console *co + pr_debug("mpc52xx_console_setup co=%p, co->index=%i, options=%s\n", + co, co->index, options); + +- if ((co->index < 0) || (co->index > MPC52xx_PSC_MAXNUM)) { ++ if ((co->index < 0) || (co->index >= MPC52xx_PSC_MAXNUM)) { + pr_debug("PSC%x out of range\n", co->index); + return -EINVAL; + } + + +From greg@blue.kroah.org Tue Jun 9 02:40:59 2009 +Message-Id: <20090609094059.232073474@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:19 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mel Gorman , + Hugh Dickins , + Ingo Molnar , + Lee Schermerhorn , + KOSAKI Motohiro , + , + Eric B Munson , + Adam Litke , + Andy Whitcroft , + Greg Kroah-Hartman +Subject: [patch 31/87] x86: ignore VM_LOCKED when determining if hugetlb-backed page tables can be shared or not +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch +Content-Length: 2628 +Lines: 67 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mel Gorman + +commit 32b154c0b0bae2879bf4e549d861caf1759a3546 upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +On x86 and x86-64, it is possible that page tables are shared beween +shared mappings backed by hugetlbfs. As part of this, +page_table_shareable() checks a pair of vma->vm_flags and they must match +if they are to be shared. All VMA flags are taken into account, including +VM_LOCKED. + +The problem is that VM_LOCKED is cleared on fork(). When a process with a +shared memory segment forks() to exec() a helper, there will be shared +VMAs with different flags. The impact is that the shared segment is +sometimes considered shareable and other times not, depending on what +process is checking. + +What happens is that the segment page tables are being shared but the +count is inaccurate depending on the ordering of events. As the page +tables are freed with put_page(), bad pmd's are found when some of the +children exit. The hugepage counters also get corrupted and the Total and +Free count will no longer match even when all the hugepage-backed regions +are freed. This requires a reboot of the machine to "fix". + +This patch addresses the problem by comparing all flags except VM_LOCKED +when deciding if pagetables should be shared or not for hugetlbfs-backed +mapping. + +Signed-off-by: Mel Gorman +Acked-by: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/hugetlbpage.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/hugetlbpage.c ++++ b/arch/x86/mm/hugetlbpage.c +@@ -26,12 +26,16 @@ static unsigned long page_table_shareabl + unsigned long sbase = saddr & PUD_MASK; + unsigned long s_end = sbase + PUD_SIZE; + ++ /* Allow segments to share if only one is marked locked */ ++ unsigned long vm_flags = vma->vm_flags & ~VM_LOCKED; ++ unsigned long svm_flags = svma->vm_flags & ~VM_LOCKED; ++ + /* + * match the virtual addresses, permission and the alignment of the + * page table page. + */ + if (pmd_index(addr) != pmd_index(saddr) || +- vma->vm_flags != svma->vm_flags || ++ vm_flags != svm_flags || + sbase < svma->vm_start || svma->vm_end < s_end) + return 0; + + + +From greg@blue.kroah.org Tue Jun 9 02:40:59 2009 +Message-Id: <20090609094059.462757128@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:20 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mel Gorman , + Hugh Dickins , + Ingo Molnar , + Lee Schermerhorn , + KOSAKI Motohiro , + , + Eric B Munson , + Adam Litke , + Andy Whitcroft , + Greg Kroah-Hartman +Subject: [patch 32/87] mm: account for MAP_SHARED mappings using VM_MAYSHARE and not VM_SHARED in hugetlbfs +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch +Content-Length: 6291 +Lines: 165 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mel Gorman + +commit f83a275dbc5ca1721143698e844243fcadfabf6a upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +hugetlbfs reserves huge pages but does not fault them at mmap() time to +ensure that future faults succeed. The reservation behaviour differs +depending on whether the mapping was mapped MAP_SHARED or MAP_PRIVATE. +For MAP_SHARED mappings, hugepages are reserved when mmap() is first +called and are tracked based on information associated with the inode. +Other processes mapping MAP_SHARED use the same reservation. MAP_PRIVATE +track the reservations based on the VMA created as part of the mmap() +operation. Each process mapping MAP_PRIVATE must make its own +reservation. + +hugetlbfs currently checks if a VMA is MAP_SHARED with the VM_SHARED flag +and not VM_MAYSHARE. For file-backed mappings, such as hugetlbfs, +VM_SHARED is set only if the mapping is MAP_SHARED and the file was opened +read-write. If a shared memory mapping was mapped shared-read-write for +populating of data and mapped shared-read-only by other processes, then +hugetlbfs would account for the mapping as if it was MAP_PRIVATE. This +causes processes to fail to map the file MAP_SHARED even though it should +succeed as the reservation is there. + +This patch alters mm/hugetlb.c and replaces VM_SHARED with VM_MAYSHARE +when the intent of the code was to check whether the VMA was mapped +MAP_SHARED or MAP_PRIVATE. + +Signed-off-by: Mel Gorman +Cc: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -316,7 +316,7 @@ static void resv_map_release(struct kref + static struct resv_map *vma_resv_map(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + return (struct resv_map *)(get_vma_private_data(vma) & + ~HPAGE_RESV_MASK); + return NULL; +@@ -325,7 +325,7 @@ static struct resv_map *vma_resv_map(str + static void set_vma_resv_map(struct vm_area_struct *vma, struct resv_map *map) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, (get_vma_private_data(vma) & + HPAGE_RESV_MASK) | (unsigned long)map); +@@ -334,7 +334,7 @@ static void set_vma_resv_map(struct vm_a + static void set_vma_resv_flags(struct vm_area_struct *vma, unsigned long flags) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, get_vma_private_data(vma) | flags); + } +@@ -353,7 +353,7 @@ static void decrement_hugepage_resv_vma( + if (vma->vm_flags & VM_NORESERVE) + return; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + /* Shared mappings always use reserves */ + h->resv_huge_pages--; + } else if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) { +@@ -369,14 +369,14 @@ static void decrement_hugepage_resv_vma( + void reset_vma_resv_huge_pages(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + vma->vm_private_data = (void *)0; + } + + /* Returns true if the VMA has associated reserve pages */ + static int vma_has_reserves(struct vm_area_struct *vma) + { +- if (vma->vm_flags & VM_SHARED) ++ if (vma->vm_flags & VM_MAYSHARE) + return 1; + if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) + return 1; +@@ -924,7 +924,7 @@ static int vma_needs_reservation(struct + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + return region_chg(&inode->i_mapping->private_list, + idx, idx + 1); +@@ -949,7 +949,7 @@ static void vma_commit_reservation(struc + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + region_add(&inode->i_mapping->private_list, idx, idx + 1); + +@@ -1893,7 +1893,7 @@ retry_avoidcopy: + * at the time of fork() could consume its reserves on COW instead + * of the full address range. + */ +- if (!(vma->vm_flags & VM_SHARED) && ++ if (!(vma->vm_flags & VM_MAYSHARE) && + is_vma_resv_set(vma, HPAGE_RESV_OWNER) && + old_page != pagecache_page) + outside_reserve = 1; +@@ -2000,7 +2000,7 @@ retry: + clear_huge_page(page, address, huge_page_size(h)); + __SetPageUptodate(page); + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + int err; + struct inode *inode = mapping->host; + +@@ -2104,7 +2104,7 @@ int hugetlb_fault(struct mm_struct *mm, + goto out_mutex; + } + +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + pagecache_page = hugetlbfs_pagecache_page(h, + vma, address); + } +@@ -2289,7 +2289,7 @@ int hugetlb_reserve_pages(struct inode * + * to reserve the full area even if read-only as mprotect() may be + * called to make the mapping read-write. Assume !vma is a shm mapping + */ +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + chg = region_chg(&inode->i_mapping->private_list, from, to); + else { + struct resv_map *resv_map = resv_map_alloc(); +@@ -2330,7 +2330,7 @@ int hugetlb_reserve_pages(struct inode * + * consumed reservations are stored in the map. Hence, nothing + * else has to be done for private mappings here + */ +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + region_add(&inode->i_mapping->private_list, from, to); + return 0; + } + + +From greg@blue.kroah.org Tue Jun 9 02:40:59 2009 +Message-Id: <20090609094059.705737171@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:21 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Warren Free , + Sebastian Andrzej Siewior , + Greg Kroah-Hartman +Subject: [patch 33/87] USB: isp1760: urb_dequeue doesnt always find the urbs +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch +Content-Length: 2891 +Lines: 95 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Warren Free + +commit 0afb20e00b5053170c85298fed842b32d20b4ea9 upstream. + +The option driver (and presumably others) allocates several URBs when it +opens and tries to free them when it closes. The isp1760_urb_dequeue +function gets called, but the packet being dequeued is not necessarily at +the +front of one of the 32 queues. If not, the isp1760_urb_done function doesn't +get called for the URB and the process trying to free it hangs forever on a +wait_queue. This patch does two things. If the URB being dequeued has others +queued behind it, it re-queues them. And it searches the queues looking for +the URB being dequeued rather than just looking at the one at the front of +the queue. + +[bigeasy@linutronix] whitespace fixes, reformating + +Signed-off-by: Warren Free +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/isp1760-hcd.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/isp1760-hcd.c ++++ b/drivers/usb/host/isp1760-hcd.c +@@ -1644,6 +1644,7 @@ static int isp1760_urb_dequeue(struct us + u32 reg_base, or_reg, skip_reg; + unsigned long flags; + struct ptd ptd; ++ packet_enqueue *pe; + + switch (usb_pipetype(urb->pipe)) { + case PIPE_ISOCHRONOUS: +@@ -1655,6 +1656,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = INT_REGS_OFFSET; + or_reg = HC_INT_IRQ_MASK_OR_REG; + skip_reg = HC_INT_PTD_SKIPMAP_REG; ++ pe = enqueue_an_INT_packet; + break; + + default: +@@ -1662,6 +1664,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = ATL_REGS_OFFSET; + or_reg = HC_ATL_IRQ_MASK_OR_REG; + skip_reg = HC_ATL_PTD_SKIPMAP_REG; ++ pe = enqueue_an_ATL_packet; + break; + } + +@@ -1673,6 +1676,7 @@ static int isp1760_urb_dequeue(struct us + u32 skip_map; + u32 or_map; + struct isp1760_qtd *qtd; ++ struct isp1760_qh *qh = ints->qh; + + skip_map = isp1760_readl(hcd->regs + skip_reg); + skip_map |= 1 << i; +@@ -1685,8 +1689,7 @@ static int isp1760_urb_dequeue(struct us + priv_write_copy(priv, (u32 *)&ptd, hcd->regs + reg_base + + i * sizeof(ptd), sizeof(ptd)); + qtd = ints->qtd; +- +- clean_up_qtdlist(qtd); ++ qtd = clean_up_qtdlist(qtd); + + free_mem(priv, ints->payload); + +@@ -1697,7 +1700,24 @@ static int isp1760_urb_dequeue(struct us + ints->payload = 0; + + isp1760_urb_done(priv, urb, status); ++ if (qtd) ++ pe(hcd, qh, qtd); + break; ++ ++ } else if (ints->qtd) { ++ struct isp1760_qtd *qtd, *prev_qtd = ints->qtd; ++ ++ for (qtd = ints->qtd->hw_next; qtd; qtd = qtd->hw_next) { ++ if (qtd->urb == urb) { ++ prev_qtd->hw_next = clean_up_qtdlist(qtd); ++ isp1760_urb_done(priv, urb, status); ++ break; ++ } ++ prev_qtd = qtd; ++ } ++ /* we found the urb before the end of the list */ ++ if (qtd) ++ break; + } + ints++; + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:00 2009 +Message-Id: <20090609094059.973558433@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Clemens Ladisch , + Takashi Iwai , + Greg Kroah-Hartman +Subject: [patch 34/87] sound: usb-audio: make the MotU Fastlane work again +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=sound-usb-audio-make-the-motu-fastlane-work-again.patch +Content-Length: 2896 +Lines: 78 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Clemens Ladisch + +commit 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c upstream. + +Kernel 2.6.18 broke the MotU Fastlane, which uses duplicate endpoint +numbers in a manner that is not only illegal but also confuses the +kernel's endpoint descriptor caching mechanism. To work around this, we +have to add a separate usb_set_interface() call to guide the USB core to +the correct descriptors. + +Signed-off-by: Clemens Ladisch +Reported-and-tested-by: David Fries +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usbaudio.c | 2 +- + sound/usb/usbaudio.h | 2 +- + sound/usb/usbmidi.c | 12 +++++++++++- + sound/usb/usbquirks.h | 2 +- + 4 files changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/usb/usbaudio.c ++++ b/sound/usb/usbaudio.c +@@ -3375,7 +3375,7 @@ static int snd_usb_create_quirk(struct s + [QUIRK_MIDI_YAMAHA] = snd_usb_create_midi_interface, + [QUIRK_MIDI_MIDIMAN] = snd_usb_create_midi_interface, + [QUIRK_MIDI_NOVATION] = snd_usb_create_midi_interface, +- [QUIRK_MIDI_RAW] = snd_usb_create_midi_interface, ++ [QUIRK_MIDI_FASTLANE] = snd_usb_create_midi_interface, + [QUIRK_MIDI_EMAGIC] = snd_usb_create_midi_interface, + [QUIRK_MIDI_CME] = snd_usb_create_midi_interface, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -153,7 +153,7 @@ enum quirk_type { + QUIRK_MIDI_YAMAHA, + QUIRK_MIDI_MIDIMAN, + QUIRK_MIDI_NOVATION, +- QUIRK_MIDI_RAW, ++ QUIRK_MIDI_FASTLANE, + QUIRK_MIDI_EMAGIC, + QUIRK_MIDI_CME, + QUIRK_MIDI_US122L, +--- a/sound/usb/usbmidi.c ++++ b/sound/usb/usbmidi.c +@@ -1778,8 +1778,18 @@ int snd_usb_create_midi_interface(struct + umidi->usb_protocol_ops = &snd_usbmidi_novation_ops; + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; +- case QUIRK_MIDI_RAW: ++ case QUIRK_MIDI_FASTLANE: + umidi->usb_protocol_ops = &snd_usbmidi_raw_ops; ++ /* ++ * Interface 1 contains isochronous endpoints, but with the same ++ * numbers as in interface 0. Since it is interface 1 that the ++ * USB core has most recently seen, these descriptors are now ++ * associated with the endpoint numbers. This will foul up our ++ * attempts to submit bulk/interrupt URBs to the endpoints in ++ * interface 0, so we have to make sure that the USB core looks ++ * again at interface 0 by calling usb_set_interface() on it. ++ */ ++ usb_set_interface(umidi->chip->dev, 0, 0); + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; + case QUIRK_MIDI_EMAGIC: +--- a/sound/usb/usbquirks.h ++++ b/sound/usb/usbquirks.h +@@ -1858,7 +1858,7 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .data = & (const struct snd_usb_audio_quirk[]) { + { + .ifnum = 0, +- .type = QUIRK_MIDI_RAW ++ .type = QUIRK_MIDI_FASTLANE + }, + { + .ifnum = 1, + + +From greg@blue.kroah.org Tue Jun 9 02:41:00 2009 +Message-Id: <20090609094100.241938835@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + Greg Kroah-Hartman +Subject: [patch 35/87] usb-serial: fix crash when sub-driver updates firmware +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=usb-serial-fix-crash-when-sub-driver-updates-firmware.patch +Content-Length: 1326 +Lines: 38 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +commit 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf upstream. + +This patch (as1244) fixes a crash in usb-serial that occurs when a +sub-driver returns a positive value from its attach method, indicating +that new firmware was loaded and the device will disconnect and +reconnect. The usb-serial core then skips the step of registering the +port devices; when the disconnect occurs, the attempt to unregister +the ports fails dramatically. + +This problem shows up with Keyspan devices and it might affect others +as well. + +When the attach method returns a positive value, the patch sets +num_ports to 0. This tells usb_serial_disconnect() not to try +unregistering any of the ports; instead they are cleaned up by +destroy_serial(). + +Signed-off-by: Alan Stern +Tested-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -978,6 +978,7 @@ int usb_serial_probe(struct usb_interfac + if (retval > 0) { + /* quietly accept this device, but don't bind to a + serial port as it's about to disappear */ ++ serial->num_ports = 0; + goto exit; + } + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:00 2009 +Message-Id: <20090609094100.473905544@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Yinghai Lu , + Jesse Barnes , + Greg Kroah-Hartman +Subject: [patch 36/87] x86/pci: fix mmconfig detection with 32bit near 4g +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch +Content-Length: 2207 +Lines: 64 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Yinghai Lu + +commit 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 upstream. + +Pascal reported and bisected a commit: +| x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case + +which broke one system system. + +ACPI: Using IOAPIC for interrupt routing +PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255 +PCI: MCFG area at f0000000 reserved in ACPI motherboard resources +PCI: Using MMCONFIG for extended config space + +it didn't have +PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63 +anymore, and try to use 0xf000000 - 0xffffffff for mmconfig + +For 32bit, mcfg_res->end could be 32bit only (if 64 resources aren't used) +So use end - 1 to pass the value in mcfg->end to avoid overflow. + +We don't need to worry about the e820 path, they are always 64 bit. + +Reported-by: Pascal Terjan +Bisected-by: Pascal Terjan +Tested-by: Pascal Terjan +Signed-off-by: Yinghai Lu +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/mmconfig-shared.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/pci/mmconfig-shared.c ++++ b/arch/x86/pci/mmconfig-shared.c +@@ -254,7 +254,7 @@ static acpi_status __init check_mcfg_res + if (!fixmem32) + return AE_OK; + if ((mcfg_res->start >= fixmem32->address) && +- (mcfg_res->end <= (fixmem32->address + ++ (mcfg_res->end < (fixmem32->address + + fixmem32->address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; +@@ -271,7 +271,7 @@ static acpi_status __init check_mcfg_res + return AE_OK; + + if ((mcfg_res->start >= address.minimum) && +- (mcfg_res->end <= (address.minimum + address.address_length))) { ++ (mcfg_res->end < (address.minimum + address.address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; + } +@@ -297,7 +297,7 @@ static int __init is_acpi_reserved(u64 s + struct resource mcfg_res; + + mcfg_res.start = start; +- mcfg_res.end = end; ++ mcfg_res.end = end - 1; + mcfg_res.flags = 0; + + acpi_get_devices("PNP0C01", find_mboard_resource, &mcfg_res, NULL); + + +From greg@blue.kroah.org Tue Jun 9 02:41:00 2009 +Message-Id: <20090609094100.715289290@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Peter Korsgaard , + Artem Bityutskiy , + David Woodhouse , + Greg Kroah-Hartman +Subject: [patch 37/87] mtd_dataflash: unbreak erase support +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mtd_dataflash-unbreak-erase-support.patch +Content-Length: 1169 +Lines: 30 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Peter Korsgaard + +commit dbf8c11f821b6ff83302c34f2403b4f7231f50ae upstream. + +Commit 5b7f3a50 (fix dataflash 64-bit divisions) unfortunately +introduced a typo. Erase addr and len were swapped in the pageaddr +calculation, causing the wrong sectors to get erased. + +Signed-off-by: Peter Korsgaard +Acked-by: Artem Bityutskiy +Signed-off-by: David Woodhouse +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/mtd_dataflash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/devices/mtd_dataflash.c ++++ b/drivers/mtd/devices/mtd_dataflash.c +@@ -184,7 +184,7 @@ static int dataflash_erase(struct mtd_in + /* Calculate flash page address; use block erase (for speed) if + * we're at a block boundary and need to erase the whole block. + */ +- pageaddr = div_u64(instr->len, priv->page_size); ++ pageaddr = div_u64(instr->addr, priv->page_size); + do_block = (pageaddr & 0x7) == 0 && instr->len >= blocksize; + pageaddr = pageaddr << priv->page_offset; + + + +From greg@blue.kroah.org Tue Jun 9 02:41:01 2009 +Message-Id: <20090609094100.948461594@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mike Frysinger , + Jean Delvare , + Greg Kroah-Hartman +Subject: [patch 38/87] hwmon: (lm78) Add missing __devexit_p() +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=hwmon-add-missing-__devexit_p.patch +Content-Length: 712 +Lines: 27 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mike Frysinger + +commit 39d8bbedb9571a89d638f5b05358f26ab503d7a6 upstream. + +The remove function uses __devexit, so the .remove assignment needs +__devexit_p() to fix a build error with hotplug disabled. + +Signed-off-by: Mike Frysinger +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm78.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm78.c ++++ b/drivers/hwmon/lm78.c +@@ -182,7 +182,7 @@ static struct platform_driver lm78_isa_d + .name = "lm78", + }, + .probe = lm78_isa_probe, +- .remove = lm78_isa_remove, ++ .remove = __devexit_p(lm78_isa_remove), + }; + + + + +From greg@blue.kroah.org Tue Jun 9 02:41:01 2009 +Message-Id: <20090609094101.186185386@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-acpi@vger.kernel.org, + lenb@kernel.org, + Shaohua Li , + Len Brown , + Greg Kroah-Hartman +Subject: [patch 39/87] cpuidle: make AMC C1E work in processor_idle +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=cpuidle-make-amc-c1e-work-in-processor_idle.patch +Content-Length: 1599 +Lines: 56 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Shaohua Li + +commit 87ad57bacb25c3f24c54f142ef445f68277705f0 upstream + +When AMD C1E is enabled, local APIC timer will stop even in C1. This patch uses +broadcast ipi to replace local APIC timer in C1. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid boot hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -212,6 +212,9 @@ static void acpi_timer_check_state(int s + struct acpi_processor_power *pwr = &pr->power; + u8 type = local_apic_timer_c2_ok ? ACPI_STATE_C3 : ACPI_STATE_C2; + ++ if (boot_cpu_has(X86_FEATURE_AMDC1E)) ++ type = ACPI_STATE_C1; ++ + /* + * Check, if one of the previous states already marked the lapic + * unstable +@@ -648,6 +651,7 @@ static int acpi_processor_power_verify(s + switch (cx->type) { + case ACPI_STATE_C1: + cx->valid = 1; ++ acpi_timer_check_state(i, pr, cx); + break; + + case ACPI_STATE_C2: +@@ -871,12 +875,14 @@ static int acpi_idle_enter_c1(struct cpu + return 0; + } + ++ acpi_state_timer_broadcast(pr, cx, 1); + t1 = inl(acpi_gbl_FADT.xpm_timer_block.address); + acpi_idle_do_entry(cx); + t2 = inl(acpi_gbl_FADT.xpm_timer_block.address); + + local_irq_enable(); + cx->usage++; ++ acpi_state_timer_broadcast(pr, cx, 0); + + return ticks_elapsed_in_us(t1, t2); + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:01 2009 +Message-Id: <20090609094101.420026206@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Shaohua Li , + Len Brown , + Greg Kroah-Hartman +Subject: [patch 40/87] cpuidle: fix AMD C1E suspend hang +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=cpuidle-fix-amd-c1e-suspend-hang.patch +Content-Length: 1022 +Lines: 34 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Shaohua Li + +commit 7d60e8ab0d5507229dfbdf456501cc378610fa01 upstream. + +When AMD C1E is enabled, local APIC timer will stop even in C1. To avoid +suspend/resume hang, this patch removes C1 and replace it with a cpu_relax() in +suspend/resume path. This hasn't any impact in runtime path. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid suspend/resume hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -870,8 +870,8 @@ static int acpi_idle_enter_c1(struct cpu + + /* Do not access any ACPI IO ports in suspend path */ + if (acpi_idle_suspend) { +- acpi_safe_halt(); + local_irq_enable(); ++ cpu_relax(); + return 0; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:01 2009 +Message-Id: <20090609094101.651695251@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Bartlomiej Zolnierkiewicz , + Greg Kroah-Hartman +Subject: [patch 41/87] ide: fix 40-wire cable detection for TSST SH-S202* ATAPI devices (v2) +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch +Content-Length: 2334 +Lines: 75 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Bartlomiej Zolnierkiewicz + +commit 8369d5fa63260cc54464b4687aa6a0f78402d98e upstream. + +Since 2.6.26 we support UDMA66 on ATAPI devices requiring IVB quirk: + + commit 8588a2b732928b343233af9b1855705b8286bed4 + ("ide: add SH-S202J to ivb_list[]") + +We also later added support for more such devices in: + + commit e97564f362a93f8c248246c19828895950341252 + ("ide: More TSST drives with broken cable detection") + +and in: + + commit 3ced5c49bd2d1f2c7f769e3a54385883de63a652 + ("ide: add TSSTcorp CDDVDW SH-S202H to ivb_list[]") + +It turns out that such devices lack cable detection altogether +(which in turn results in incorrect detection of 40-wire cables +by our current cable detection strategy) so always handle them +by trusting host-side cable detection only. + +v2: +Model detection fixup from Martin. + +Reported-and-tested-by: Martin Lottermoser +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-iops.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/ide/ide-iops.c ++++ b/drivers/ide/ide-iops.c +@@ -587,8 +587,6 @@ EXPORT_SYMBOL_GPL(ide_in_drive_list); + + /* + * Early UDMA66 devices don't set bit14 to 1, only bit13 is valid. +- * We list them here and depend on the device side cable detection for them. +- * + * Some optical devices with the buggy firmwares have the same problem. + */ + static const struct drive_list_entry ivb_list[] = { +@@ -632,10 +630,25 @@ u8 eighty_ninty_three (ide_drive_t *driv + * - force bit13 (80c cable present) check also for !ivb devices + * (unless the slave device is pre-ATA3) + */ +- if ((id[ATA_ID_HW_CONFIG] & 0x4000) || +- (ivb && (id[ATA_ID_HW_CONFIG] & 0x2000))) ++ if (id[ATA_ID_HW_CONFIG] & 0x4000) + return 1; + ++ if (ivb) { ++ const char *model = (char *)&id[ATA_ID_PROD]; ++ ++ if (strstr(model, "TSSTcorp CDDVDW SH-S202")) { ++ /* ++ * These ATAPI devices always report 80c cable ++ * so we have to depend on the host in this case. ++ */ ++ if (hwif->cbl == ATA_CBL_PATA80) ++ return 1; ++ } else { ++ /* Depend on the device side cable detection. */ ++ if (id[ATA_ID_HW_CONFIG] & 0x2000) ++ return 1; ++ } ++ } + no_80w: + if (drive->dev_flags & IDE_DFLAG_UDMA33_WARNED) + return 0; + + +From greg@blue.kroah.org Tue Jun 9 02:41:02 2009 +Message-Id: <20090609094101.891768425@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Greg Kroah-Hartman +Subject: [patch 42/87] KVM: Explicity initialize cpus_hardware_enabled +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=kvm-explicity-initialize-cpus_hardware_enabled.patch +Content-Length: 829 +Lines: 30 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Avi Kivity + +commit a4c0364be3f43d3e17fe19270f8b3d64881606e6 upstream. + +Under CONFIG_MAXSMP, cpus_hardware_enabled is allocated from the heap and +not statically initialized. This causes a crash on reboot when kvm thinks +vmx is enabled on random nonexistent cpus and accesses nonexistent percpu +lists. + +Fix by explicitly clearing the variable. + +Reported-and-tested-by: Yinghai Lu +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2315,6 +2315,7 @@ int kvm_init(void *opaque, unsigned int + r = -ENOMEM; + goto out_free_0; + } ++ cpumask_clear(cpus_hardware_enabled); + + r = kvm_arch_hardware_setup(); + if (r < 0) + + +From greg@blue.kroah.org Tue Jun 9 02:41:02 2009 +Message-Id: <20090609094102.145068152@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Bartlomiej Zolnierkiewicz , + Greg Kroah-Hartman +Subject: [patch 43/87] ide_pci_generic: add quirk for Netcell ATA RAID +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ide_pci_generic-add-quirk-for-netcell-ata-raid.patch +Content-Length: 1615 +Lines: 55 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Bartlomiej Zolnierkiewicz + +commit c339dfdd65b52bfd947ab29d1210314a2f6d622d upstream. + +We need to explicitly mark words 85-87 as valid ones since +firmware doesn't do it. + +This should fix support for LBA48 and FLUSH CACHE [EXT] command +which stopped working after we applied more strict checking of +identify words in: + + commit 942dcd85bf8edf38cdc3745306ca250684d99a61 + ("ide: idedisk_supports_lba48() -> ata_id_lba48_enabled()") + +and + + commit 4b58f17d7c45a8e5f4acda641bec388398b9c0fa + ("ide: ide_id_has_flush_cache() -> ata_id_flush_enabled()") + +Reported-and-tested-by: "Trevor Hemsley" +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-pci-generic.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/ide/ide-pci-generic.c ++++ b/drivers/ide/ide-pci-generic.c +@@ -35,6 +35,16 @@ MODULE_PARM_DESC(all_generic_ide, "IDE g + + #define IDE_HFLAGS_UMC (IDE_HFLAG_NO_DMA | IDE_HFLAG_FORCE_LEGACY_IRQS) + ++static void netcell_quirkproc(ide_drive_t *drive) ++{ ++ /* mark words 85-87 as valid */ ++ drive->id[ATA_ID_CSF_DEFAULT] |= 0x4000; ++} ++ ++static const struct ide_port_ops netcell_port_ops = { ++ .quirkproc = netcell_quirkproc, ++}; ++ + #define DECLARE_GENERIC_PCI_DEV(extra_flags) \ + { \ + .name = DRV_NAME, \ +@@ -76,6 +86,7 @@ static const struct ide_port_info generi + + { /* 6: Revolution */ + .name = DRV_NAME, ++ .port_ops = &netcell_port_ops, + .host_flags = IDE_HFLAG_CLEAR_SIMPLEX | + IDE_HFLAG_TRUST_BIOS_FOR_DMA | + IDE_HFLAG_OFF_BOARD, + + +From greg@blue.kroah.org Tue Jun 9 02:41:02 2009 +Message-Id: <20090609094102.377860651@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:32 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Borislav Petkov , + Bartlomiej Zolnierkiewicz , + Greg Kroah-Hartman +Subject: [patch 44/87] ide: fix OOPS during ide-cd error recovery +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ide-fix-oops-during-ide-cd-error-recovery.patch +Content-Length: 1713 +Lines: 51 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Bartlomiej Zolnierkiewicz + +commit e3b29f05124b07303088795396ff858811d2acb8 upstream. + +On Tuesday 19 May 2009 20:29:28 Martin Lottermoser wrote: + +> hdc: cdrom_decode_status: error=0x40 <3>{ LastFailedSense=0x04 } +> ide: failed opcode was: unknown +> hdc: DMA disabled +> ------------[ cut here ]------------ +> kernel BUG at drivers/ide/ide-io.c:872! + +It is possible for ide-cd to ignore ide_error()'s return value under +some circumstances. Workaround it in ide_intr() and ide_timer_expiry() +by checking if there is a device/port reset pending currently. + +Fixes bug #13345: + + http://bugzilla.kernel.org/show_bug.cgi?id=13345 + +Reported-by: Martin Lottermoser +Reported-and-tested-by: Modestas Vainius +Cc: Borislav Petkov +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ide/ide-io.c ++++ b/drivers/ide/ide-io.c +@@ -967,7 +967,7 @@ void ide_timer_expiry (unsigned long dat + } + spin_lock_irq(&hwif->lock); + enable_irq(hwif->irq); +- if (startstop == ide_stopped) { ++ if (startstop == ide_stopped && hwif->polling == 0) { + ide_unlock_port(hwif); + plug_device = 1; + } +@@ -1145,7 +1145,7 @@ irqreturn_t ide_intr (int irq, void *dev + * same irq as is currently being serviced here, and Linux + * won't allow another of the same (on any CPU) until we return. + */ +- if (startstop == ide_stopped) { ++ if (startstop == ide_stopped && hwif->polling == 0) { + BUG_ON(hwif->handler); + ide_unlock_port(hwif); + plug_device = 1; + + +From greg@blue.kroah.org Tue Jun 9 02:41:02 2009 +Message-Id: <20090609094102.610840271@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:33 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Paris , + Greg Kroah-Hartman +Subject: [patch 45/87] SELinux: BUG in SELinux compat_net code +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=selinux-bug-in-selinux-compat_net-code.patch +Content-Length: 1519 +Lines: 40 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eric Paris + +This patch is not applicable to Linus's tree as the code in question has +been removed for 2.6.30. I'm sending in case any of the stable +maintainers would like to push to their branches (which I think anything +pre 2.6.30 would like to do). + +Ubuntu users were experiencing a kernel panic when they enabled SELinux +due to an old bug in our handling of the compatibility mode network +controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e +Most distros have not used the compat_net code since the new code was +introduced and so noone has hit this problem before. Ubuntu is the only +distro I know that enabled that legacy cruft by default. But, I was ask +to look at it and found that the above patch changed a call to +avc_has_perm from if(send_perm) to if(!send_perm) in +selinux_ip_postroute_iptables_compat(). The result is that users who +turn on SELinux and have compat_net set can (and oftern will) BUG() in +avc_has_perm_noaudit since they are requesting 0 permissions. + +This patch corrects that accidental bug introduction. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4648,7 +4648,7 @@ static int selinux_ip_postroute_iptables + if (err) + return err; + +- if (send_perm != 0) ++ if (!send_perm) + return 0; + + err = sel_netport_sid(sk->sk_protocol, + + +From greg@blue.kroah.org Tue Jun 9 02:41:03 2009 +Message-Id: <20090609094102.849740736@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Neil Horman , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 46/87] e1000: add missing length check to e1000 receive routine +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=e1000-add-missing-length-check-to-e1000-receive-routine.patch +Content-Length: 2115 +Lines: 44 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Neil Horman + +commit ea30e11970a96cfe5e32c03a29332554573b4a10 upstream. + + Patch to fix bad length checking in e1000. E1000 by default does two +things: + +1) Spans rx descriptors for packets that don't fit into 1 skb on recieve +2) Strips the crc from a frame by subtracting 4 bytes from the length prior to +doing an skb_put + +Since the e1000 driver isn't written to support receiving packets that span +multiple rx buffers, it checks the End of Packet bit of every frame, and +discards it if its not set. This places us in a situation where, if we have a +spanning packet, the first part is discarded, but the second part is not (since +it is the end of packet, and it passes the EOP bit test). If the second part of +the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, +underflow the length, and wind up in skb_over_panic, when we try to skb_put a +huge number of bytes into the skb. This amounts to a remote DOS attack through +careful selection of frame size in relation to interface MTU. The fix for this +is already in the e1000e driver, as well as the e1000 sourceforge driver, but no +one ever pushed it to e1000. This is lifted straight from e1000e, and prevents +small frames from causing the underflow described above + +Signed-off-by: Neil Horman +Tested-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- a/drivers/net/e1000/e1000_main.c ++++ b/drivers/net/e1000/e1000_main.c +@@ -4027,8 +4027,9 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter, + PCI_DMA_FROMDEVICE); + + length = le16_to_cpu(rx_desc->length); +- +- if (unlikely(!(status & E1000_RXD_STAT_EOP))) { ++ /* !EOP means multiple descriptors were used to store a single ++ * packet, also make sure the frame isn't just CRC only */ ++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) { + /* All receives must fit into a single buffer */ + E1000_DBG("%s: Receive packet consumed multiple" + " buffers\n", netdev->name); + + +From greg@blue.kroah.org Tue Jun 9 02:41:03 2009 +Message-Id: <20090609094103.080454984@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:35 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Kirsher , + Stephen Hemminger , + Greg Kroah-Hartman +Subject: [patch 47/87] igb: fix LRO warning +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=igb-fix-lro-warning.patch +Content-Length: 1158 +Lines: 34 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jeff Kirsher + +This fix is only needed for 2.6.29.y tree, since in 2.6.30 and later IGB +has moved to using GRO instead of LRO. + +igb supports LRO, but was not setting any hooks to the ->set_flags +ethtool_ops function. This would trigger warnings if the user tried +to enable or disable LRO. + +Based on the patch provided by Stephen Hemminger + +Reported-by: Sergey Kononenko +Signed-off-by: Jeff Kirsher +CC: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/igb/igb_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/igb/igb_ethtool.c ++++ b/drivers/net/igb/igb_ethtool.c +@@ -2024,6 +2024,10 @@ static struct ethtool_ops igb_ethtool_op + .get_ethtool_stats = igb_get_ethtool_stats, + .get_coalesce = igb_get_coalesce, + .set_coalesce = igb_set_coalesce, ++ .get_flags = ethtool_op_get_flags, ++#ifdef CONFIG_IGB_LRO ++ .set_flags = ethtool_op_set_flags, ++#endif + }; + + void igb_set_ethtool_ops(struct net_device *netdev) + + +From greg@blue.kroah.org Tue Jun 9 02:41:03 2009 +Message-Id: <20090609094103.315637657@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:36 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Reinette Chatre , + "John W. Linville" , + Greg Kroah-Hartman +Subject: [patch 48/87] iwlwifi: update key flags at time key is set +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=iwlwifi-update-key-flags-at-time-key-is-set.patch +Content-Length: 3053 +Lines: 86 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Reinette Chatre + +commit 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 upstream. + +We need to be symmetrical in what is done when key is set and cleared. +This is important wrt the key flags as they are used during key +clearing and if they are not set when the key is set the key cannot be +cleared completely. + +This addresses the many occurences of the WARN found in +iwl_set_tkip_dynamic_key_info() and tracked in +http://www.kerneloops.org/searchweek.php?search=iwl_set_dynamic_key + +If calling iwl_set_tkip_dynamic_key_info()/iwl_remove_dynamic_key() +pair a few times in a row will cause that we run out of key space. +This is because the index stored in the key flags is used by +iwl_remove_dynamic_key() to decide if it should remove the key. +Unfortunately the key flags, and hence the key index is currently only +set at the time the key is written to the device (in +iwl_update_tkip_key()) and _not_ in iwl_set_tkip_dynamic_key_info(). +Fix this by setting flags in iwl_set_tkip_dynamic_key_info(). + +Signed-off-by: Reinette Chatre +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/wireless/iwlwifi/iwl-sta.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-sta.c ++++ b/drivers/net/wireless/iwlwifi/iwl-sta.c +@@ -708,6 +708,14 @@ static int iwl_set_tkip_dynamic_key_info + { + unsigned long flags; + int ret = 0; ++ __le16 key_flags = 0; ++ ++ key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK); ++ key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); ++ key_flags &= ~STA_KEY_FLG_INVALID; ++ ++ if (sta_id == priv->hw_params.bcast_sta_id) ++ key_flags |= STA_KEY_MULTICAST_MSK; + + keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_IV; + keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC; +@@ -727,6 +735,9 @@ static int iwl_set_tkip_dynamic_key_info + WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET, + "no space for new kew"); + ++ priv->stations[sta_id].sta.key.key_flags = key_flags; ++ ++ + /* This copy is acutally not needed: we get the key with each TX */ + memcpy(priv->stations[sta_id].keyinfo.key, keyconf->key, 16); + +@@ -743,9 +754,7 @@ void iwl_update_tkip_key(struct iwl_priv + { + u8 sta_id = IWL_INVALID_STATION; + unsigned long flags; +- __le16 key_flags = 0; + int i; +- DECLARE_MAC_BUF(mac); + + sta_id = iwl_find_station(priv, addr); + if (sta_id == IWL_INVALID_STATION) { +@@ -760,16 +769,8 @@ void iwl_update_tkip_key(struct iwl_priv + return; + } + +- key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK); +- key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); +- key_flags &= ~STA_KEY_FLG_INVALID; +- +- if (sta_id == priv->hw_params.bcast_sta_id) +- key_flags |= STA_KEY_MULTICAST_MSK; +- + spin_lock_irqsave(&priv->sta_lock, flags); + +- priv->stations[sta_id].sta.key.key_flags = key_flags; + priv->stations[sta_id].sta.key.tkip_rx_tsc_byte2 = (u8) iv32; + + for (i = 0; i < 5; i++) + + +From greg@blue.kroah.org Tue Jun 9 02:41:03 2009 +Message-Id: <20090609094103.545752040@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:37 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jiri Slaby , + Felix Fietkau , + "John W. Linville" , + Greg Kroah-Hartman +Subject: [patch 49/87] mac80211: minstrel, fix memory corruption +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mac80211-minstrel-fix-memory-corruption.patch +Content-Length: 1024 +Lines: 32 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jiri Slaby + +commit 8e532175277d9a5eae49768ed086555081f741a7 upstream. + +minstrel doesn't count max rate count in fact, since it doesn't use +a loop variable `i' and hence allocs space only for bitrates found in +the first band. + +Fix it by involving the `i' as an index so that it traverses all the +bands now and finds the real max bitrate count. + +Signed-off-by: Jiri Slaby +Cc: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rc80211_minstrel.c ++++ b/net/mac80211/rc80211_minstrel.c +@@ -476,7 +476,7 @@ minstrel_alloc_sta(void *priv, struct ie + return NULL; + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { +- sband = hw->wiphy->bands[hw->conf.channel->band]; ++ sband = hw->wiphy->bands[i]; + if (sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:04 2009 +Message-Id: <20090609094103.781191797@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:38 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jiri Slaby , + "John W. Linville" , + Greg Kroah-Hartman +Subject: [patch 50/87] mac80211: pid, fix memory corruption +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mac80211-pid-fix-memory-corruption.patch +Content-Length: 4204 +Lines: 133 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jiri Slaby + +commit 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 upstream. + +pid doesn't count with some band having more bitrates than the one +associated the first time. +Fix that by counting the maximal available bitrate count and allocate +big enough space. + +Secondly, fix touching uninitialized memory which causes panics. +Index sucked from this random memory points to the hell. +The fix is to sort the rates on each band change. + +Signed-off-by: Jiri Slaby +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_pid_algo.c | 73 +++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 34 deletions(-) + +--- a/net/mac80211/rc80211_pid_algo.c ++++ b/net/mac80211/rc80211_pid_algo.c +@@ -317,13 +317,44 @@ rate_control_pid_rate_init(void *priv, s + struct ieee80211_sta *sta, void *priv_sta) + { + struct rc_pid_sta_info *spinfo = priv_sta; ++ struct rc_pid_info *pinfo = priv; ++ struct rc_pid_rateinfo *rinfo = pinfo->rinfo; + struct sta_info *si; ++ int i, j, tmp; ++ bool s; + + /* TODO: This routine should consider using RSSI from previous packets + * as we need to have IEEE 802.1X auth succeed immediately after assoc.. + * Until that method is implemented, we will use the lowest supported + * rate as a workaround. */ + ++ /* Sort the rates. This is optimized for the most common case (i.e. ++ * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed ++ * mapping too. */ ++ for (i = 0; i < sband->n_bitrates; i++) { ++ rinfo[i].index = i; ++ rinfo[i].rev_index = i; ++ if (RC_PID_FAST_START) ++ rinfo[i].diff = 0; ++ else ++ rinfo[i].diff = i * pinfo->norm_offset; ++ } ++ for (i = 1; i < sband->n_bitrates; i++) { ++ s = 0; ++ for (j = 0; j < sband->n_bitrates - i; j++) ++ if (unlikely(sband->bitrates[rinfo[j].index].bitrate > ++ sband->bitrates[rinfo[j + 1].index].bitrate)) { ++ tmp = rinfo[j].index; ++ rinfo[j].index = rinfo[j + 1].index; ++ rinfo[j + 1].index = tmp; ++ rinfo[rinfo[j].index].rev_index = j; ++ rinfo[rinfo[j + 1].index].rev_index = j + 1; ++ s = 1; ++ } ++ if (!s) ++ break; ++ } ++ + spinfo->txrate_idx = rate_lowest_index(sband, sta); + /* HACK */ + si = container_of(sta, struct sta_info, sta); +@@ -336,21 +367,22 @@ static void *rate_control_pid_alloc(stru + struct rc_pid_info *pinfo; + struct rc_pid_rateinfo *rinfo; + struct ieee80211_supported_band *sband; +- int i, j, tmp; +- bool s; ++ int i, max_rates = 0; + #ifdef CONFIG_MAC80211_DEBUGFS + struct rc_pid_debugfs_entries *de; + #endif + +- sband = hw->wiphy->bands[hw->conf.channel->band]; +- + pinfo = kmalloc(sizeof(*pinfo), GFP_ATOMIC); + if (!pinfo) + return NULL; + +- /* We can safely assume that sband won't change unless we get +- * reinitialized. */ +- rinfo = kmalloc(sizeof(*rinfo) * sband->n_bitrates, GFP_ATOMIC); ++ for (i = 0; i < IEEE80211_NUM_BANDS; i++) { ++ sband = hw->wiphy->bands[i]; ++ if (sband->n_bitrates > max_rates) ++ max_rates = sband->n_bitrates; ++ } ++ ++ rinfo = kmalloc(sizeof(*rinfo) * max_rates, GFP_ATOMIC); + if (!rinfo) { + kfree(pinfo); + return NULL; +@@ -368,33 +400,6 @@ static void *rate_control_pid_alloc(stru + pinfo->rinfo = rinfo; + pinfo->oldrate = 0; + +- /* Sort the rates. This is optimized for the most common case (i.e. +- * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed +- * mapping too. */ +- for (i = 0; i < sband->n_bitrates; i++) { +- rinfo[i].index = i; +- rinfo[i].rev_index = i; +- if (RC_PID_FAST_START) +- rinfo[i].diff = 0; +- else +- rinfo[i].diff = i * pinfo->norm_offset; +- } +- for (i = 1; i < sband->n_bitrates; i++) { +- s = 0; +- for (j = 0; j < sband->n_bitrates - i; j++) +- if (unlikely(sband->bitrates[rinfo[j].index].bitrate > +- sband->bitrates[rinfo[j + 1].index].bitrate)) { +- tmp = rinfo[j].index; +- rinfo[j].index = rinfo[j + 1].index; +- rinfo[j + 1].index = tmp; +- rinfo[rinfo[j].index].rev_index = j; +- rinfo[rinfo[j + 1].index].rev_index = j + 1; +- s = 1; +- } +- if (!s) +- break; +- } +- + #ifdef CONFIG_MAC80211_DEBUGFS + de = &pinfo->dentries; + de->target = debugfs_create_u32("target_pf", S_IRUSR | S_IWUSR, + + +From greg@blue.kroah.org Tue Jun 9 02:41:04 2009 +Message-Id: <20090609094104.039304013@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:39 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "John W. Linville" , + Greg Kroah-Hartman +Subject: [patch 51/87] mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch +Content-Length: 1425 +Lines: 42 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: John W. Linville + +commit 621ad7c96aa138cfeab53cd4debc5a4e08b2189b upstream. + +"There is another problem with this piece of code. The sband will be NULL +after second iteration on single band device and cause null pointer +dereference. Everything is working with dual band card. Sorry, but i +don't know how to explain this clearly in English. I have looked on the +second patch for pid algorithm and found similar bug." + +Reported-by: Karol Szuster +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel.c | 2 +- + net/mac80211/rc80211_pid_algo.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rc80211_minstrel.c ++++ b/net/mac80211/rc80211_minstrel.c +@@ -477,7 +477,7 @@ minstrel_alloc_sta(void *priv, struct ie + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { + sband = hw->wiphy->bands[i]; +- if (sband->n_bitrates > max_rates) ++ if (sband && sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } + +--- a/net/mac80211/rc80211_pid_algo.c ++++ b/net/mac80211/rc80211_pid_algo.c +@@ -378,7 +378,7 @@ static void *rate_control_pid_alloc(stru + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { + sband = hw->wiphy->bands[i]; +- if (sband->n_bitrates > max_rates) ++ if (sband && sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:04 2009 +Message-Id: <20090609094104.269896926@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:40 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michael Chan , + "David S. Miller" , + Greg Kroah-Hartman +Subject: [patch 52/87] bnx2: Fix panic in bnx2_poll_work(). +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=bnx2-fix-panic-in-bnx2_poll_work.patch +Content-Length: 1927 +Lines: 58 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Michael Chan + +commit 581daf7e00c5e766f26aff80a61a860a17b0d75a upstream. + +Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue: + +http://bugzilla.kernel.org/show_bug.cgi?id=12698 + +This issue was reported by multiple i386 users. Without barrier(), +the compiled code looks like the following where %eax contains the +address of the tx_cons or rx_cons in the DMA status block. The +status block contents can change between the cmpb and the movzwl +instruction. The driver would crash if the value was not 0xff during +the cmpb instruction, but changed to 0xff during the movzwl +instruction. + +6828: 80 38 ff cmpb $0xff,(%eax) +682b: 0f b7 10 movzwl (%eax),%edx + +With the added barrier(), the compiled code now looks correct: + +683d: 0f b7 10 movzwl (%eax),%edx +6840: 0f b6 c2 movzbl %dl,%eax +6843: 3d ff 00 00 00 cmp $0xff,%eax + +Thanks to Pascal de Bruijn for reporting the +problem and Holger Noefer for patiently +testing test patches for us. + +[greg - took out version change] + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bnx2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/bnx2.c ++++ b/drivers/net/bnx2.c +@@ -2585,6 +2585,7 @@ bnx2_get_hw_tx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_tx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_TX_DESC_CNT) == MAX_TX_DESC_CNT)) + cons++; + return cons; +@@ -2864,6 +2865,7 @@ bnx2_get_hw_rx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_rx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_RX_DESC_CNT) == MAX_RX_DESC_CNT)) + cons++; + return cons; + + +From greg@blue.kroah.org Tue Jun 9 02:41:04 2009 +Message-Id: <20090609094104.496693358@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:41 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ingo Molnar , + Greg Kroah-Hartman +Subject: [patch 53/87] random: make get_random_int() more random +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=random-make-get_random_int-more-random.patch +Content-Length: 2657 +Lines: 68 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Linus Torvalds + +commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 upstream. + +It's a really simple patch that basically just open-codes the current +"secure_ip_id()" call, but when open-coding it we now use a _static_ +hashing area, so that it gets updated every time. + +And to make sure somebody can't just start from the same original seed of +all-zeroes, and then do the "half_md4_transform()" over and over until +they get the same sequence as the kernel has, each iteration also mixes in +the same old "current->pid + jiffies" we used - so we should now have a +regular strong pseudo-number generator, but we also have one that doesn't +have a single seed. + +Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It +has no real meaning. It could be anything. I just picked the previous +seed, it's just that now we keep the state in between calls and that will +feed into the next result, and that should make all the difference. + +I made that hash be a per-cpu data just to avoid cache-line ping-pong: +having multiple CPU's write to the same data would be fine for randomness, +and add yet another layer of chaos to it, but since get_random_int() is +supposed to be a fast interface I did it that way instead. I considered +using "__raw_get_cpu_var()" to avoid any preemption overhead while still +getting the hash be _mostly_ ping-pong free, but in the end good taste won +out. + +Signed-off-by: Ingo Molnar +Signed-off-by: Linus Torvalds +Cc: Jake Edge +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1660,15 +1660,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ ++DEFINE_PER_CPU(__u32 [4], get_random_int_hash); + unsigned int get_random_int(void) + { +- /* +- * Use IP's RNG. It suits our purpose perfectly: it re-keys itself +- * every second, from the entropy pool (and thus creates a limited +- * drain on it), and uses halfMD4Transform within the second. We +- * also mix it with jiffies and the PID: +- */ +- return secure_ip_id((__force __be32)(current->pid + jiffies)); ++ struct keydata *keyptr; ++ __u32 *hash = get_cpu_var(get_random_int_hash); ++ int ret; ++ ++ keyptr = get_keyptr(); ++ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret; ++ ++ ret = half_md4_transform(hash, keyptr->secret); ++ put_cpu_var(get_random_int_hash); ++ ++ return ret; + } + + /* + + +From greg@blue.kroah.org Tue Jun 9 02:41:04 2009 +Message-Id: <20090609094104.729987455@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:42 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Zoltan Karcagi , + Jiri Kosina , + Greg Kroah-Hartman +Subject: [patch 54/87] HID: fix dropped device-specific quirks +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=hid-fix-dropped-device-specific-quirks.patch +Content-Length: 790 +Lines: 30 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Zoltan Karcagi + +commit f5208997087e6eb2096532b5a313eeb236535bdc upstream. + +Device-specific quirks are set up correctly in their respective vendor-specific +driver, then get overwritten in usbhid_parse(). + +This is only issue for device-specific NOGET quirks being set by driver for a +few devices out there. + +Signed-off-by: Zoltan Karcagi +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -765,7 +765,7 @@ static int usbhid_parse(struct hid_devic + goto err; + } + +- hid->quirks = quirks; ++ hid->quirks |= quirks; + + return 0; + err: + + +From greg@blue.kroah.org Tue Jun 9 02:41:05 2009 +Message-Id: <20090609094104.954759812@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:43 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Adam Radford , + James Bottomley , + Greg Kroah-Hartman +Subject: [patch 55/87] [SCSI] 3w-xxxx: scsi_dma_unmap fix +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=3w-xxxx-scsi_dma_unmap-fix.patch +Content-Length: 1833 +Lines: 56 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: adam radford + +commit 7b14f58ad65f9d74e4273fb45360cfea824495aa upstream. + +This patch fixes the following regression that occurred during the +scsi_dma_map()/unmap() +changes when compiling with CONFIG_DMA_API_DEBUG=y : + +WARNING: at lib/dma-debug.c:496 check_unmap+0x142/0x542() +Hardware name: +3w-xxxx 0000:02:02.0: DMA-API: device driver tries to free DMA memory +it has not allocated [device address=0x0000000000000000] [size=36 +bytes] + +Signed-off-by: Adam Radford +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/3w-xxxx.c | 5 +++-- + drivers/scsi/3w-xxxx.h | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick +@@ -1294,7 +1294,8 @@ static void tw_unmap_scsi_data(struct pc + { + dprintk(KERN_WARNING "3w-xxxx: tw_unmap_scsi_data()\n"); + +- scsi_dma_unmap(cmd); ++ if (cmd->SCp.phase == TW_PHASE_SGLIST) ++ scsi_dma_unmap(cmd); + } /* End tw_unmap_scsi_data() */ + + /* This function will reset a device extension */ +--- a/drivers/scsi/3w-xxxx.h ++++ b/drivers/scsi/3w-xxxx.h +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick + + +From greg@blue.kroah.org Tue Jun 9 02:41:05 2009 +Message-Id: <20090609094105.199044910@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:44 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Rothwell , + Josh Boyer , + Kumar Gala , + Greg Kroah-Hartman +Subject: [patch 56/87] powerpc: fix for long standing bug noticed by gcc 4.4.0 +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch +Content-Length: 760 +Lines: 27 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Stephen Rothwell + +commit b62c31ae401c6df25c61b206681a6e904ef97169 upstream. + +Previous gcc versions didn't notice this because one of the preceding +#ifs always evaluated to true. + +gcc 4.4.0 produced this error: + +arch/powerpc/mm/tlb_nohash_low.S:206:6: error: #elif with no expression + +Signed-off-by: Stephen Rothwell +Acked-by: Josh Boyer +Signed-off-by: Kumar Gala +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/powerpc/mm/tlb_nohash_low.S ++++ b/arch/powerpc/mm/tlb_nohash_low.S +@@ -191,6 +191,6 @@ ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_TLBILX) + isync + 1: wrtee r10 + blr +-#elif ++#else + #error Unsupported processor type ! + #endif + + +From greg@blue.kroah.org Tue Jun 9 02:41:05 2009 +Message-Id: <20090609094105.427022347@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:45 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tejun Heo , + Bartlomiej Zolnierkiewicz , + Greg Kroah-Hartman +Subject: [patch 57/87] ide-tape: remove back-to-back REQUEST_SENSE detection +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ide-tape-remove-back-to-back-request_sense-detection.patch +Content-Length: 1149 +Lines: 36 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tejun Heo + +commit 36999a5af1b6c5379e59f0ddf434db08d03c19e4 upstream. + +Impact: fix an oops which always triggers + +ide_tape_issue_pc() assumed drive->pc isn't NULL on invocation when +checking for back-to-back request sense issues but drive->pc can be +NULL and even when it's not NULL, it's not safe to dereference it once +the previous command is complete because pc could have been freed or +was on stack. Kill back-to-back REQUEST_SENSE detection. + +Signed-off-by: Tejun Heo +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-tape.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/ide/ide-tape.c ++++ b/drivers/ide/ide-tape.c +@@ -654,12 +654,6 @@ static ide_startstop_t idetape_issue_pc( + { + idetape_tape_t *tape = drive->driver_data; + +- if (drive->pc->c[0] == REQUEST_SENSE && +- pc->c[0] == REQUEST_SENSE) { +- printk(KERN_ERR "ide-tape: possible ide-tape.c bug - " +- "Two request sense in serial were issued\n"); +- } +- + if (tape->failed_pc == NULL && pc->c[0] != REQUEST_SENSE) + tape->failed_pc = pc; + + + +From greg@blue.kroah.org Tue Jun 9 02:41:05 2009 +Message-Id: <20090609094105.665209956@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Adam Williamson , + Takashi Iwai , + Greg Kroah-Hartman +Subject: [patch 58/87] ALSA: hda - fix audio on HP TX25xx series notebooks +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=alsa-hda-fix-audio-on-hp-tx25xx-series-notebooks.patch +Content-Length: 1079 +Lines: 28 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Adam Williamson + +commit 87488957a68293357a94c8142de7d0ae17914912 upstream. + +Fixes https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4121 + +Taken from https://bugzilla.redhat.com/show_bug.cgi?id=498060 + +Signed-off-by: Adam Williamson +Signed-off-by: Takashi Iwai +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11710,6 +11710,7 @@ static struct snd_pci_quirk alc268_cfg_t + SND_PCI_QUIRK(0x1028, 0x0253, "Dell OEM", ALC268_DELL), + SND_PCI_QUIRK(0x1028, 0x02b0, "Dell Inspiron Mini9", ALC268_DELL), + SND_PCI_QUIRK(0x103c, 0x30cc, "TOSHIBA", ALC268_TOSHIBA), ++ SND_PCI_QUIRK(0x103c, 0x30f1, "HP TX25xx series", ALC268_TOSHIBA), + SND_PCI_QUIRK(0x1043, 0x1205, "ASUS W7J", ALC268_3ST), + SND_PCI_QUIRK(0x1179, 0xff10, "TOSHIBA A205", ALC268_TOSHIBA), + SND_PCI_QUIRK(0x1179, 0xff50, "TOSHIBA A305", ALC268_TOSHIBA), + + +From greg@blue.kroah.org Tue Jun 9 02:41:06 2009 +Message-Id: <20090609094105.911241431@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Greg Kroah-Hartman +Subject: [patch 59/87] cdc-acm: Fix long standing abuse of tty->low_latency +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=cdc-acm-fix-long-standing-abuse-of-tty-low_latency.patch +Content-Length: 1150 +Lines: 35 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Cox + +commit 7a9a65ced11ece416b730d6f21040a18e62d78a8 upstream. + +ACM sets the low latency flag but calls the flip buffer routines from +IRQ context which isn't permitted (and as of 2.6.29 causes a warning +hence this one was caught) + +Fortunatelt ACM doesn't need to set this flag in the first place as it +only set it to work around problems in ancient (pre tty flip rewrite) +kernels. + +Reported-by: Chuck Ebbert +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -546,10 +546,6 @@ static int acm_tty_open(struct tty_struc + tty->driver_data = acm; + acm->tty = tty; + +- /* force low_latency on so that our tty_push actually forces the data through, +- otherwise it is scheduled, and with high data rates data can get lost. */ +- tty->low_latency = 1; +- + if (usb_autopm_get_interface(acm->control) < 0) + goto early_bail; + else + + +From greg@blue.kroah.org Tue Jun 9 02:41:06 2009 +Message-Id: <20090609094106.155875950@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Howells , + Greg Kroah-Hartman +Subject: [patch 60/87] keys: Handle there being no fallback destination keyring for request_key() +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=keys-handle-there-being-no-fallback-destination-keyring-for-request_key.patch +Content-Length: 2045 +Lines: 58 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Howells + +commit 34574dd10b6d0697b86703388d6d6af9cbf4bb48 upstream. + +When request_key() is called, without there being any standard process +keyrings on which to fall back if a destination keyring is not specified, an +oops is liable to occur when construct_alloc_key() calls down_write() on +dest_keyring's semaphore. + +Due to function inlining this may be seen as an oops in down_write() as called +from request_key_and_link(). + +This situation crops up during boot, where request_key() is called from within +the kernel (such as in CIFS mounts) where nobody is actually logged in, and so +PAM has not had a chance to create a session keyring and user keyrings to act +as the fallback. + +To fix this, make construct_alloc_key() not attempt to cache a key if there is +no fallback key if no destination keyring is given specifically. + +Signed-off-by: David Howells +Tested-by: Jeff Layton +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/request_key.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -311,7 +311,8 @@ static int construct_alloc_key(struct ke + + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + +- down_write(&dest_keyring->sem); ++ if (dest_keyring) ++ down_write(&dest_keyring->sem); + + /* attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +@@ -322,10 +323,12 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- __key_link(dest_keyring, key); ++ if (dest_keyring) ++ __key_link(dest_keyring, key); + + mutex_unlock(&key_construction_mutex); +- up_write(&dest_keyring->sem); ++ if (dest_keyring) ++ up_write(&dest_keyring->sem); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); + + +From greg@blue.kroah.org Tue Jun 9 02:41:06 2009 +Message-Id: <20090609094106.388267421@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu , + Greg Kroah-Hartman +Subject: [patch 61/87] crypto: padlock - Revert aes-all alias to aes +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=crypto-padlock-revert-aes-all-alias-to-aes.patch +Content-Length: 773 +Lines: 25 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Herbert Xu + +commit acd246b7494c629aa617da49716409566cf52149 upstream. + +Since the padlock-aes driver doesn't require a fallback (it's +only padlock-sha that does), it should use the aes alias rather +than aes-all so that ones that do need a fallback can use it. + +Signed-off-by: Herbert Xu +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/padlock-aes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -489,4 +489,4 @@ MODULE_DESCRIPTION("VIA PadLock AES algo + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Michal Ludvig"); + +-MODULE_ALIAS("aes-all"); ++MODULE_ALIAS("aes"); + + +From greg@blue.kroah.org Tue Jun 9 02:41:06 2009 +Message-Id: <20090609094106.622250240@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Herbert Xu , + Greg Kroah-Hartman +Subject: [patch 62/87] crypto: api - Fix algorithm module auto-loading +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=crypto-api-fix-algorithm-module-auto-loading.patch +Content-Length: 1022 +Lines: 32 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Herbert Xu + +commit 37fc334cc8eb84f5fe0a5a1cbe6a6a68049e142a upstream. + +The commit a760a6656e6f00bb0144a42a048cf0266646e22c (crypto: +api - Fix module load deadlock with fallback algorithms) broke +the auto-loading of algorithms that require fallbacks. The +problem is that the fallback mask check is missing an and which +cauess bits that should be considered to interfere with the +result. + +Reported-by: Chuck Ebbert +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -221,7 +221,8 @@ struct crypto_alg *crypto_larval_lookup( + + request_module(name); + +- if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask) && ++ if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask & ++ CRYPTO_ALG_NEED_FALLBACK) && + snprintf(tmp, sizeof(tmp), "%s-all", name) < sizeof(tmp)) + request_module(tmp); + + + +From greg@blue.kroah.org Tue Jun 9 02:41:07 2009 +Message-Id: <20090609094106.861813779@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Jerome Marchand , + Roland McGrath , + Denys Vlasenko , + Greg Kroah-Hartman +Subject: [patch 63/87] ptrace: kill __ptrace_detach(), fix ->exit_state check +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ptrace-kill-__ptrace_detach-fix-exit_state-check.patch +Content-Length: 1743 +Lines: 63 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +commit 95c3eb76dc07fd81289888ffc42948196b34b444 upstream. + +Move the code from __ptrace_detach() to its single caller and kill this +helper. + +Also, fix the ->exit_state check, we shouldn't wake up EXIT_DEAD tasks. +Actually, I think task_is_stopped_or_traced() makes more sense, but this +needs another patch. + +Signed-off-by: Oleg Nesterov +Cc: Jerome Marchand +Cc: Roland McGrath +Cc: Denys Vlasenko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -235,16 +235,6 @@ out: + return retval; + } + +-static inline void __ptrace_detach(struct task_struct *child, unsigned int data) +-{ +- child->exit_code = data; +- /* .. re-parent .. */ +- __ptrace_unlink(child); +- /* .. and wake it up. */ +- if (child->exit_state != EXIT_ZOMBIE) +- wake_up_process(child); +-} +- + int ptrace_detach(struct task_struct *child, unsigned int data) + { + if (!valid_signal(data)) +@@ -254,10 +244,16 @@ int ptrace_detach(struct task_struct *ch + ptrace_disable(child); + clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); + +- write_lock_irq(&tasklist_lock); + /* protect against de_thread()->release_task() */ +- if (child->ptrace) +- __ptrace_detach(child, data); ++ write_lock_irq(&tasklist_lock); ++ if (child->ptrace) { ++ child->exit_code = data; ++ ++ __ptrace_unlink(child); ++ ++ if (!child->exit_state) ++ wake_up_process(child); ++ } + write_unlock_irq(&tasklist_lock); + + return 0; + + +From greg@blue.kroah.org Tue Jun 9 02:41:07 2009 +Message-Id: <20090609094107.093854872@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Jerome Marchand , + Roland McGrath , + Denys Vlasenko , + Greg Kroah-Hartman +Subject: [patch 64/87] ptrace: simplify ptrace_exit()->ignoring_children() path +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ptrace-simplify-ptrace_exit-ignoring_children-path.patch +Content-Length: 2699 +Lines: 80 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +commit 6d69cb87f05eef3b02370b2f7bae608ad2301a00 upstream. + +ignoring_children() takes parent->sighand->siglock and checks +k_sigaction[SIGCHLD] atomically. But this buys nothing, we can't get the +"really" wrong result even if we race with sigaction(SIGCHLD). If we read +the "stale" sa_handler/sa_flags we can pretend it was changed right after +the check. + +Remove spin_lock(->siglock), and kill "int ign" which caches the result of +ignoring_children() which becomes rather trivial. + +Perhaps it makes sense to export this helper, do_notify_parent() can use +it too. + +Signed-off-by: Oleg Nesterov +Cc: Jerome Marchand +Cc: Roland McGrath +Cc: Denys Vlasenko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -703,19 +703,15 @@ static void exit_mm(struct task_struct * + } + + /* +- * Return nonzero if @parent's children should reap themselves. +- * +- * Called with write_lock_irq(&tasklist_lock) held. ++ * Called with irqs disabled, returns true if childs should reap themselves. + */ +-static int ignoring_children(struct task_struct *parent) ++static int ignoring_children(struct sighand_struct *sigh) + { + int ret; +- struct sighand_struct *psig = parent->sighand; +- unsigned long flags; +- spin_lock_irqsave(&psig->siglock, flags); +- ret = (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN || +- (psig->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDWAIT)); +- spin_unlock_irqrestore(&psig->siglock, flags); ++ spin_lock(&sigh->siglock); ++ ret = (sigh->action[SIGCHLD-1].sa.sa_handler == SIG_IGN) || ++ (sigh->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDWAIT); ++ spin_unlock(&sigh->siglock); + return ret; + } + +@@ -728,7 +724,6 @@ static int ignoring_children(struct task + static void ptrace_exit(struct task_struct *parent, struct list_head *dead) + { + struct task_struct *p, *n; +- int ign = -1; + + list_for_each_entry_safe(p, n, &parent->ptraced, ptrace_entry) { + __ptrace_unlink(p); +@@ -750,12 +745,8 @@ static void ptrace_exit(struct task_stru + if (!task_detached(p) && thread_group_empty(p)) { + if (!same_thread_group(p->real_parent, parent)) + do_notify_parent(p, p->exit_signal); +- else { +- if (ign < 0) +- ign = ignoring_children(parent); +- if (ign) +- p->exit_signal = -1; +- } ++ else if (ignoring_children(parent->sighand)) ++ p->exit_signal = -1; + } + + if (task_detached(p)) { + + +From greg@blue.kroah.org Tue Jun 9 02:41:07 2009 +Message-Id: <20090609094107.328131075@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Jerome Marchand , + Roland McGrath , + Denys Vlasenko , + Greg Kroah-Hartman +Subject: [patch 65/87] ptrace: reintroduce __ptrace_detach() as a callee of ptrace_exit() +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ptrace-reintroduce-__ptrace_detach-as-a-callee-of-ptrace_exit.patch +Content-Length: 3097 +Lines: 101 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +commit b1b4c6799fb59e710454bfe0ab477cb8523a8667 upstream. + +No functional changes, preparation for the next patch. + +Move the "should we release this child" logic into the separate handler, +__ptrace_detach(). + +Signed-off-by: Oleg Nesterov +Cc: Jerome Marchand +Cc: Roland McGrath +Cc: Denys Vlasenko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 62 ++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 33 insertions(+), 29 deletions(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -715,6 +715,38 @@ static int ignoring_children(struct sigh + return ret; + } + ++/* Returns nonzero if the tracee should be released. */ ++int __ptrace_detach(struct task_struct *tracer, struct task_struct *p) ++{ ++ __ptrace_unlink(p); ++ ++ if (p->exit_state != EXIT_ZOMBIE) ++ return 0; ++ /* ++ * If it's a zombie, our attachedness prevented normal ++ * parent notification or self-reaping. Do notification ++ * now if it would have happened earlier. If it should ++ * reap itself we return true. ++ * ++ * If it's our own child, there is no notification to do. ++ * But if our normal children self-reap, then this child ++ * was prevented by ptrace and we must reap it now. ++ */ ++ if (!task_detached(p) && thread_group_empty(p)) { ++ if (!same_thread_group(p->real_parent, tracer)) ++ do_notify_parent(p, p->exit_signal); ++ else if (ignoring_children(tracer->sighand)) ++ p->exit_signal = -1; ++ } ++ ++ if (!task_detached(p)) ++ return 0; ++ ++ /* Mark it as in the process of being reaped. */ ++ p->exit_state = EXIT_DEAD; ++ return 1; ++} ++ + /* + * Detach all tasks we were using ptrace on. + * Any that need to be release_task'd are put on the @dead list. +@@ -726,36 +758,8 @@ static void ptrace_exit(struct task_stru + struct task_struct *p, *n; + + list_for_each_entry_safe(p, n, &parent->ptraced, ptrace_entry) { +- __ptrace_unlink(p); +- +- if (p->exit_state != EXIT_ZOMBIE) +- continue; +- +- /* +- * If it's a zombie, our attachedness prevented normal +- * parent notification or self-reaping. Do notification +- * now if it would have happened earlier. If it should +- * reap itself, add it to the @dead list. We can't call +- * release_task() here because we already hold tasklist_lock. +- * +- * If it's our own child, there is no notification to do. +- * But if our normal children self-reap, then this child +- * was prevented by ptrace and we must reap it now. +- */ +- if (!task_detached(p) && thread_group_empty(p)) { +- if (!same_thread_group(p->real_parent, parent)) +- do_notify_parent(p, p->exit_signal); +- else if (ignoring_children(parent->sighand)) +- p->exit_signal = -1; +- } +- +- if (task_detached(p)) { +- /* +- * Mark it as in the process of being reaped. +- */ +- p->exit_state = EXIT_DEAD; ++ if (__ptrace_detach(parent, p)) + list_add(&p->ptrace_entry, dead); +- } + } + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:07 2009 +Message-Id: <20090609094107.655778381@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Jerome Marchand , + Roland McGrath , + Greg Kroah-Hartman +Subject: [patch 66/87] ptrace: fix possible zombie leak on PTRACE_DETACH +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ptrace-fix-possible-zombie-leak-on-ptrace_detach.patch +Content-Length: 2160 +Lines: 71 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +commit 4576145c1ecdaaea9ef8976a48335206aa1ebf91 upstream. + +When ptrace_detach() takes tasklist, the tracee can be SIGKILL'ed. If it +has already passed exit_notify() we can leak a zombie, because a) ptracing +disables the auto-reaping logic, and b) ->real_parent was not notified +about the child's death. + +ptrace_detach() should follow the ptrace_exit's logic, change the code +accordingly. + +Signed-off-by: Oleg Nesterov +Cc: Jerome Marchand +Cc: Roland McGrath +Tested-by: Denys Vlasenko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ptrace.h | 1 + + kernel/ptrace.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -94,6 +94,7 @@ extern void ptrace_notify(int exit_code) + extern void __ptrace_link(struct task_struct *child, + struct task_struct *new_parent); + extern void __ptrace_unlink(struct task_struct *child); ++extern int __ptrace_detach(struct task_struct *tracer, struct task_struct *p); + extern void ptrace_fork(struct task_struct *task, unsigned long clone_flags); + #define PTRACE_MODE_READ 1 + #define PTRACE_MODE_ATTACH 2 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -237,6 +237,8 @@ out: + + int ptrace_detach(struct task_struct *child, unsigned int data) + { ++ int dead = 0; ++ + if (!valid_signal(data)) + return -EIO; + +@@ -244,18 +246,21 @@ int ptrace_detach(struct task_struct *ch + ptrace_disable(child); + clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); + +- /* protect against de_thread()->release_task() */ + write_lock_irq(&tasklist_lock); ++ /* protect against de_thread()->release_task() */ + if (child->ptrace) { + child->exit_code = data; + +- __ptrace_unlink(child); ++ dead = __ptrace_detach(current, child); + + if (!child->exit_state) + wake_up_process(child); + } + write_unlock_irq(&tasklist_lock); + ++ if (unlikely(dead)) ++ release_task(child); ++ + return 0; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:08 2009 +Message-Id: <20090609094107.906495786@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Andreas Herrmann , + Mark Hounschell , + Borislav Petkov , + Ingo Molnar , + Greg Kroah-Hartman +Subject: [patch 67/87] x86: hpet: provide separate functions to stop and start the counter +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=x86-hpet-provide-separate-functions-to-stop-and-start-the-counter.patch +Content-Length: 1952 +Lines: 80 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Andreas Herrmann + +commit 8d6f0c8214928f7c5083dd54ecb69c5d615b516e upstream. + +By splitting up existing hpet_start_counter function. + +Signed-off-by: Andreas Herrmann +Cc: Mark Hounschell +Cc: Borislav Petkov +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -191,27 +191,37 @@ static struct clock_event_device hpet_cl + .rating = 50, + }; + +-static void hpet_start_counter(void) ++static void hpet_stop_counter(void) + { + unsigned long cfg = hpet_readl(HPET_CFG); +- + cfg &= ~HPET_CFG_ENABLE; + hpet_writel(cfg, HPET_CFG); + hpet_writel(0, HPET_COUNTER); + hpet_writel(0, HPET_COUNTER + 4); ++} ++ ++static void hpet_start_counter(void) ++{ ++ unsigned long cfg = hpet_readl(HPET_CFG); + cfg |= HPET_CFG_ENABLE; + hpet_writel(cfg, HPET_CFG); + } + ++static void hpet_restart_counter(void) ++{ ++ hpet_stop_counter(); ++ hpet_start_counter(); ++} ++ + static void hpet_resume_device(void) + { + force_hpet_resume(); + } + +-static void hpet_restart_counter(void) ++static void hpet_resume_counter(void) + { + hpet_resume_device(); +- hpet_start_counter(); ++ hpet_restart_counter(); + } + + static void hpet_enable_legacy_int(void) +@@ -695,7 +705,7 @@ static struct clocksource clocksource_hp + .mask = HPET_MASK, + .shift = HPET_SHIFT, + .flags = CLOCK_SOURCE_IS_CONTINUOUS, +- .resume = hpet_restart_counter, ++ .resume = hpet_resume_counter, + #ifdef CONFIG_X86_64 + .vread = vread_hpet, + #endif +@@ -707,7 +717,7 @@ static int hpet_clocksource_register(voi + cycle_t t1; + + /* Start the counter */ +- hpet_start_counter(); ++ hpet_restart_counter(); + + /* Verify whether hpet counter works */ + t1 = read_hpet(); + + +From greg@blue.kroah.org Tue Jun 9 02:41:08 2009 +Message-Id: <20090609094108.173791423@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ingo Molnar , + Andreas Herrmann , + Mark Hounschell , + Borislav Petkov , + Greg Kroah-Hartman +Subject: [patch 68/87] x86: hpet: stop HPET_COUNTER when programming periodic mode +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=x86-hpet-stop-hpet_counter-when-programming-periodic-mode.patch +Content-Length: 2189 +Lines: 68 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Andreas Herrmann + +commit c23e253e67c9d8a91a0ffa33c1f571a17f0a2403 upstream + +x86: hpet: stop HPET_COUNTER when programming periodic mode + +Impact: fix system hang on some systems operating with HZ_1000 + +On a system that stalled with HZ_1000, the first value written to +T0_CMP (when the main counter was not stopped) did not trigger an +interrupt. Instead after the main counter wrapped around (after +several minutes) an interrupt was triggered and afterwards the +periodic interrupt took effect. + +This can be fixed by implementing HPET spec recommendation for +programming the periodic mode (i.e. stopping the main counter). + +[cebbert@redhat.com: backport to 2.6.29] + +Signed-off-by: Andreas Herrmann +Cc: Mark Hounschell +Cc: Borislav Petkov +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman +--- + +--- + arch/x86/kernel/hpet.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -269,29 +269,22 @@ static int hpet_setup_msi_irq(unsigned i + static void hpet_set_mode(enum clock_event_mode mode, + struct clock_event_device *evt, int timer) + { +- unsigned long cfg, cmp, now; ++ unsigned long cfg; + uint64_t delta; + + switch (mode) { + case CLOCK_EVT_MODE_PERIODIC: ++ hpet_stop_counter(); + delta = ((uint64_t)(NSEC_PER_SEC/HZ)) * evt->mult; + delta >>= evt->shift; +- now = hpet_readl(HPET_COUNTER); +- cmp = now + (unsigned long) delta; + cfg = hpet_readl(HPET_Tn_CFG(timer)); + /* Make sure we use edge triggered interrupts */ + cfg &= ~HPET_TN_LEVEL; + cfg |= HPET_TN_ENABLE | HPET_TN_PERIODIC | + HPET_TN_SETVAL | HPET_TN_32BIT; + hpet_writel(cfg, HPET_Tn_CFG(timer)); +- /* +- * The first write after writing TN_SETVAL to the +- * config register sets the counter value, the second +- * write sets the period. +- */ +- hpet_writel(cmp, HPET_Tn_CMP(timer)); +- udelay(1); + hpet_writel((unsigned long) delta, HPET_Tn_CMP(timer)); ++ hpet_start_counter(); + break; + + case CLOCK_EVT_MODE_ONESHOT: + + +From greg@blue.kroah.org Tue Jun 9 02:41:08 2009 +Message-Id: <20090609094108.439675561@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Andreas Herrmann , + Ingo Molnar , + Greg Kroah-Hartman +Subject: [patch 69/87] x86: hpet: fix periodic mode programming on AMD 81xx +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=x86-hpet-fix-periodic-mode-programming-on-amd-81xx.patch +Content-Length: 2874 +Lines: 86 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Andreas Herrmann + +commit 7a6f9cbb37120c745fc187083fb5c3de4dca4f97 upstream. + +(See http://bugzilla.kernel.org/show_bug.cgi?id=12961) + +It partially reverts commit c23e253e67c9d8a91a0ffa33c1f571a17f0a2403 +(x86: hpet: stop HPET_COUNTER when programming periodic mode) + +HPET on AMD 81xx chipset needs a second write (with HPET_TN_SETVAL +cleared) to T0_CMP register to set the period in periodic mode. + +With this patch HPET_COUNTER is still stopped but not reset when HPET +is programmed in periodic mode. This should help to avoid races when +HPET is programmed in periodic mode and fixes a boot time hang that +I've observed on a machine when using 1000HZ. + +[ Impact: fix boot time hang on machines with AMD 81xx chipset ] + +Reported-by: Jeff Mahoney +Signed-off-by: Andreas Herrmann +Tested-by: Jeff Mahoney +LKML-Reference: <20090421180037.GA2763@alberich.amd.com> +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -196,6 +196,10 @@ static void hpet_stop_counter(void) + unsigned long cfg = hpet_readl(HPET_CFG); + cfg &= ~HPET_CFG_ENABLE; + hpet_writel(cfg, HPET_CFG); ++} ++ ++static void hpet_reset_counter(void) ++{ + hpet_writel(0, HPET_COUNTER); + hpet_writel(0, HPET_COUNTER + 4); + } +@@ -210,6 +214,7 @@ static void hpet_start_counter(void) + static void hpet_restart_counter(void) + { + hpet_stop_counter(); ++ hpet_reset_counter(); + hpet_start_counter(); + } + +@@ -269,7 +274,7 @@ static int hpet_setup_msi_irq(unsigned i + static void hpet_set_mode(enum clock_event_mode mode, + struct clock_event_device *evt, int timer) + { +- unsigned long cfg; ++ unsigned long cfg, cmp, now; + uint64_t delta; + + switch (mode) { +@@ -277,12 +282,23 @@ static void hpet_set_mode(enum clock_eve + hpet_stop_counter(); + delta = ((uint64_t)(NSEC_PER_SEC/HZ)) * evt->mult; + delta >>= evt->shift; ++ now = hpet_readl(HPET_COUNTER); ++ cmp = now + (unsigned long) delta; + cfg = hpet_readl(HPET_Tn_CFG(timer)); + /* Make sure we use edge triggered interrupts */ + cfg &= ~HPET_TN_LEVEL; + cfg |= HPET_TN_ENABLE | HPET_TN_PERIODIC | + HPET_TN_SETVAL | HPET_TN_32BIT; + hpet_writel(cfg, HPET_Tn_CFG(timer)); ++ hpet_writel(cmp, HPET_Tn_CMP(timer)); ++ udelay(1); ++ /* ++ * HPET on AMD 81xx needs a second write (with HPET_TN_SETVAL ++ * cleared) to T0_CMP to set the period. The HPET_TN_SETVAL ++ * bit is automatically cleared after the first write. ++ * (See AMD-8111 HyperTransport I/O Hub Data Sheet, ++ * Publication # 24674) ++ */ + hpet_writel((unsigned long) delta, HPET_Tn_CMP(timer)); + hpet_start_counter(); + break; + + +From greg@blue.kroah.org Tue Jun 9 02:41:09 2009 +Message-Id: <20090609094108.798977298@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Duane Griffin , + Andreas Dilger , + Greg Kroah-Hartman +Subject: [patch 70/87] ext4: dont inherit inappropriate inode flags from parent +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-don-t-inherit-inappropriate-inode-flags-from-parent.patch +Content-Length: 1941 +Lines: 54 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Duane Griffin + +(cherry picked from commit 8fa43a81b97853fc69417bb6054182e78f95cbeb) + +At present INDEX and EXTENTS are the only flags that new ext4 inodes do +NOT inherit from their parent. In addition prevent the flags DIRTY, +ECOMPR, IMAGIC, TOPDIR, HUGE_FILE and EXT_MIGRATE from being inherited. +List inheritable flags explicitly to prevent future flags from +accidentally being inherited. + +This fixes the TOPDIR flag inheritance bug reported at +http://bugzilla.kernel.org/show_bug.cgi?id=9866. + +Signed-off-by: Duane Griffin +Acked-by: Andreas Dilger +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ext4.h | 7 +++++++ + fs/ext4/ialloc.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -248,6 +248,13 @@ struct flex_groups { + #define EXT4_FL_USER_VISIBLE 0x000BDFFF /* User visible flags */ + #define EXT4_FL_USER_MODIFIABLE 0x000B80FF /* User modifiable flags */ + ++/* Flags that should be inherited by new inodes from their parent. */ ++#define EXT4_FL_INHERITED (EXT4_SECRM_FL | EXT4_UNRM_FL | EXT4_COMPR_FL |\ ++ EXT4_SYNC_FL | EXT4_IMMUTABLE_FL | EXT4_APPEND_FL |\ ++ EXT4_NODUMP_FL | EXT4_NOATIME_FL |\ ++ EXT4_NOCOMPR_FL | EXT4_JOURNAL_DATA_FL |\ ++ EXT4_NOTAIL_FL | EXT4_DIRSYNC_FL) ++ + /* + * Inode dynamic state flags + */ +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -889,7 +889,7 @@ got: + * newly created directory and file only if -o extent mount option is + * specified + */ +- ei->i_flags = EXT4_I(dir)->i_flags & ~(EXT4_INDEX_FL|EXT4_EXTENTS_FL); ++ ei->i_flags = EXT4_I(dir)->i_flags & EXT4_FL_INHERITED; + if (S_ISLNK(mode)) + ei->i_flags &= ~(EXT4_IMMUTABLE_FL|EXT4_APPEND_FL); + /* dirsync only applies to directories */ + + +From greg@blue.kroah.org Tue Jun 9 02:41:09 2009 +Message-Id: <20090609094109.038712318@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:39:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Duane Griffin , + Andreas Dilger , + Greg Kroah-Hartman +Subject: [patch 71/87] ext4: tighten restrictions on inode flags +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-tighten-restrictions-on-inode-flags.patch +Content-Length: 2965 +Lines: 90 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Duane Griffin + +(cherry picked from commit 2dc6b0d48ca0599837df21b14bb8393d0804af57) + +At the moment there are few restrictions on which flags may be set on +which inodes. Specifically DIRSYNC may only be set on directories and +IMMUTABLE and APPEND may not be set on links. Tighten that to disallow +TOPDIR being set on non-directories and only NODUMP and NOATIME to be set +on non-regular file, non-directories. + +Introduces a flags masking function which masks flags based on mode and +use it during inode creation and when flags are set via the ioctl to +facilitate future consistency. + +Signed-off-by: Duane Griffin +Acked-by: Andreas Dilger +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 17 +++++++++++++++++ + fs/ext4/ialloc.c | 14 +++++--------- + fs/ext4/ioctl.c | 3 +-- + 3 files changed, 23 insertions(+), 11 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -255,6 +255,23 @@ struct flex_groups { + EXT4_NOCOMPR_FL | EXT4_JOURNAL_DATA_FL |\ + EXT4_NOTAIL_FL | EXT4_DIRSYNC_FL) + ++/* Flags that are appropriate for regular files (all but dir-specific ones). */ ++#define EXT4_REG_FLMASK (~(EXT4_DIRSYNC_FL | EXT4_TOPDIR_FL)) ++ ++/* Flags that are appropriate for non-directories/regular files. */ ++#define EXT4_OTHER_FLMASK (EXT4_NODUMP_FL | EXT4_NOATIME_FL) ++ ++/* Mask out flags that are inappropriate for the given type of inode. */ ++static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags) ++{ ++ if (S_ISDIR(mode)) ++ return flags; ++ else if (S_ISREG(mode)) ++ return flags & EXT4_REG_FLMASK; ++ else ++ return flags & EXT4_OTHER_FLMASK; ++} ++ + /* + * Inode dynamic state flags + */ +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -885,16 +885,12 @@ got: + ei->i_disksize = 0; + + /* +- * Don't inherit extent flag from directory. We set extent flag on +- * newly created directory and file only if -o extent mount option is +- * specified ++ * Don't inherit extent flag from directory, amongst others. We set ++ * extent flag on newly created directory and file only if -o extent ++ * mount option is specified + */ +- ei->i_flags = EXT4_I(dir)->i_flags & EXT4_FL_INHERITED; +- if (S_ISLNK(mode)) +- ei->i_flags &= ~(EXT4_IMMUTABLE_FL|EXT4_APPEND_FL); +- /* dirsync only applies to directories */ +- if (!S_ISDIR(mode)) +- ei->i_flags &= ~EXT4_DIRSYNC_FL; ++ ei->i_flags = ++ ext4_mask_flags(mode, EXT4_I(dir)->i_flags & EXT4_FL_INHERITED); + ei->i_file_acl = 0; + ei->i_dtime = 0; + ei->i_block_group = group; +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -48,8 +48,7 @@ long ext4_ioctl(struct file *filp, unsig + if (err) + return err; + +- if (!S_ISDIR(inode->i_mode)) +- flags &= ~EXT4_DIRSYNC_FL; ++ flags = ext4_mask_flags(inode->i_mode, flags); + + err = -EPERM; + mutex_lock(&inode->i_mutex); + + +From greg@blue.kroah.org Tue Jun 9 02:41:09 2009 +Message-Id: <20090609094109.269138659@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Bryan Donlan , + Greg Kroah-Hartman +Subject: [patch 72/87] ext4: return -EIO not -ESTALE on directory traversal through deleted inode +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-return-eio-not-estale-on-directory-traversal-through-deleted-inode.patch +Content-Length: 1717 +Lines: 52 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Bryan Donlan + +(cherry picked from commit e6f009b0b45220c004672d41a58865e94946104d) + +ext4_iget() returns -ESTALE if invoked on a deleted inode, in order to +report errors to NFS properly. However, in ext4_lookup(), this +-ESTALE can be propagated to userspace if the filesystem is corrupted +such that a directory entry references a deleted inode. This leads to +a misleading error message - "Stale NFS file handle" - and confusion +on the part of the admin. + +The bug can be easily reproduced by creating a new filesystem, making +a link to an unused inode using debugfs, then mounting and attempting +to ls -l said link. + +This patch thus changes ext4_lookup to return -EIO if it receives +-ESTALE from ext4_iget(), as ext4 does for other filesystem metadata +corruption; and also invokes the appropriate ext*_error functions when +this case is detected. + +Signed-off-by: Bryan Donlan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1052,8 +1052,16 @@ static struct dentry *ext4_lookup(struct + return ERR_PTR(-EIO); + } + inode = ext4_iget(dir->i_sb, ino); +- if (IS_ERR(inode)) +- return ERR_CAST(inode); ++ if (unlikely(IS_ERR(inode))) { ++ if (PTR_ERR(inode) == -ESTALE) { ++ ext4_error(dir->i_sb, __func__, ++ "deleted inode referenced: %u", ++ ino); ++ return ERR_PTR(-EIO); ++ } else { ++ return ERR_CAST(inode); ++ } ++ } + } + return d_splice_alias(inode, dentry); + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:09 2009 +Message-Id: <20090609094109.510003780@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 73/87] ext4: Add fine print for the 32000 subdirectory limit +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-add-fine-print-for-the-32000-subdirectory-limit.patch +Content-Length: 1505 +Lines: 38 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 722bde6875bfb49a0c84e5601eb82dd7ac02d27c) + +Some poeple are reading the ext4 feature list too literally and create +dubious test cases involving very long filenames and 1k blocksize and +then complain when they run into an htree-imposed limit. So add fine +print to the "fix 32000 subdirectory limit" ext4 feature. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/ext4.txt | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/Documentation/filesystems/ext4.txt ++++ b/Documentation/filesystems/ext4.txt +@@ -85,7 +85,7 @@ Note: More extensive information for get + * extent format more robust in face of on-disk corruption due to magics, + * internal redundancy in tree + * improved file allocation (multi-block alloc) +-* fix 32000 subdirectory limit ++* lift 32000 subdirectory limit imposed by i_links_count[1] + * nsec timestamps for mtime, atime, ctime, create time + * inode version field on disk (NFSv4, Lustre) + * reduced e2fsck time via uninit_bg feature +@@ -100,6 +100,9 @@ Note: More extensive information for get + * efficent new ordered mode in JBD2 and ext4(avoid using buffer head to force + the ordering) + ++[1] Filesystems with a block size of 1k may see a limit imposed by the ++directory hash tree having a maximum depth of two. ++ + 2.2 Candidate features for future inclusion + + * Online defrag (patches available but not well tested) + + +From greg@blue.kroah.org Tue Jun 9 02:41:09 2009 +Message-Id: <20090609094109.747267724@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 74/87] ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-add-ext4_ioc_alloc_da_blks-ioctl.patch +Content-Length: 3863 +Lines: 112 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit ccd2506bd43113659aa904d5bea5d1300605e2a6) + +Add an ioctl which forces all of the delay allocated blocks to be +allocated. This also provides a function ext4_alloc_da_blocks() which +will be used by the following commits to force files to be fully +allocated to preserve application-expected ext3 behaviour. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 3 +++ + fs/ext4/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + fs/ext4/ioctl.c | 14 ++++++++++++++ + 3 files changed, 59 insertions(+) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -326,7 +326,9 @@ struct ext4_new_group_data { + #define EXT4_IOC_GROUP_EXTEND _IOW('f', 7, unsigned long) + #define EXT4_IOC_GROUP_ADD _IOW('f', 8, struct ext4_new_group_input) + #define EXT4_IOC_MIGRATE _IO('f', 9) ++ /* note ioctl 10 reserved for an early version of the FIEMAP ioctl */ + /* note ioctl 11 reserved for filesystem-independent FIEMAP ioctl */ ++#define EXT4_IOC_ALLOC_DA_BLKS _IO('f', 12) + + /* + * ioctl commands in 32 bit emulation +@@ -1115,6 +1117,7 @@ extern int ext4_can_truncate(struct inod + extern void ext4_truncate(struct inode *); + extern void ext4_set_inode_flags(struct inode *); + extern void ext4_get_inode_flags(struct ext4_inode_info *); ++extern int ext4_alloc_da_blocks(struct inode *inode); + extern void ext4_set_aops(struct inode *inode); + extern int ext4_writepage_trans_blocks(struct inode *); + extern int ext4_meta_trans_blocks(struct inode *, int nrblocks, int idxblocks); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2816,6 +2816,48 @@ out: + return; + } + ++/* ++ * Force all delayed allocation blocks to be allocated for a given inode. ++ */ ++int ext4_alloc_da_blocks(struct inode *inode) ++{ ++ if (!EXT4_I(inode)->i_reserved_data_blocks && ++ !EXT4_I(inode)->i_reserved_meta_blocks) ++ return 0; ++ ++ /* ++ * We do something simple for now. The filemap_flush() will ++ * also start triggering a write of the data blocks, which is ++ * not strictly speaking necessary (and for users of ++ * laptop_mode, not even desirable). However, to do otherwise ++ * would require replicating code paths in: ++ * ++ * ext4_da_writepages() -> ++ * write_cache_pages() ---> (via passed in callback function) ++ * __mpage_da_writepage() --> ++ * mpage_add_bh_to_extent() ++ * mpage_da_map_blocks() ++ * ++ * The problem is that write_cache_pages(), located in ++ * mm/page-writeback.c, marks pages clean in preparation for ++ * doing I/O, which is not desirable if we're not planning on ++ * doing I/O at all. ++ * ++ * We could call write_cache_pages(), and then redirty all of ++ * the pages by calling redirty_page_for_writeback() but that ++ * would be ugly in the extreme. So instead we would need to ++ * replicate parts of the code in the above functions, ++ * simplifying them becuase we wouldn't actually intend to ++ * write out the pages, but rather only collect contiguous ++ * logical block extents, call the multi-block allocator, and ++ * then update the buffer heads with the block allocations. ++ * ++ * For now, though, we'll cheat by calling filemap_flush(), ++ * which will map the blocks, and start the I/O, but not ++ * actually wait for the I/O to complete. ++ */ ++ return filemap_flush(inode->i_mapping); ++} + + /* + * bmap() is special. It gets used by applications such as lilo and by +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -262,6 +262,20 @@ setversion_out: + return err; + } + ++ case EXT4_IOC_ALLOC_DA_BLKS: ++ { ++ int err; ++ if (!is_owner_or_cap(inode)) ++ return -EACCES; ++ ++ err = mnt_want_write(filp->f_path.mnt); ++ if (err) ++ return err; ++ err = ext4_alloc_da_blocks(inode); ++ mnt_drop_write(filp->f_path.mnt); ++ return err; ++ } ++ + default: + return -ENOTTY; + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:10 2009 +Message-Id: <20090609094109.986748238@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 75/87] ext4: Automatically allocate delay allocated blocks on close +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-automatically-allocate-delay-allocated-blocks-on-close.patch +Content-Length: 1935 +Lines: 55 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 7d8f9f7d150dded7b68e61ca6403a1f166fb4edf) + +When closing a file that had been previously truncated, force any +delay allocated blocks that to be allocated so that if the filesystem +is mounted with data=ordered, the data blocks will be pushed out to +disk along with the journal commit. Many application programs expect +this, so we do this to avoid zero length files if the system crashes +unexpectedly. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 1 + + fs/ext4/file.c | 4 ++++ + fs/ext4/inode.c | 3 +++ + 3 files changed, 8 insertions(+) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -279,6 +279,7 @@ static inline __u32 ext4_mask_flags(umod + #define EXT4_STATE_NEW 0x00000002 /* inode is newly created */ + #define EXT4_STATE_XATTR 0x00000004 /* has in-inode xattrs */ + #define EXT4_STATE_NO_EXPAND 0x00000008 /* No space for expansion */ ++#define EXT4_STATE_DA_ALLOC_CLOSE 0x00000010 /* Alloc DA blks on close */ + + /* Used to pass group descriptor data when online resize is done */ + struct ext4_new_group_input { +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -33,6 +33,10 @@ + */ + static int ext4_release_file(struct inode *inode, struct file *filp) + { ++ if (EXT4_I(inode)->i_state & EXT4_STATE_DA_ALLOC_CLOSE) { ++ ext4_alloc_da_blocks(inode); ++ EXT4_I(inode)->i_state &= ~EXT4_STATE_DA_ALLOC_CLOSE; ++ } + /* if we are the last writer on the inode, drop the block reservation */ + if ((filp->f_mode & FMODE_WRITE) && + (atomic_read(&inode->i_writecount) == 1)) +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3880,6 +3880,9 @@ void ext4_truncate(struct inode *inode) + if (!ext4_can_truncate(inode)) + return; + ++ if (inode->i_size == 0) ++ ei->i_state |= EXT4_STATE_DA_ALLOC_CLOSE; ++ + if (EXT4_I(inode)->i_flags & EXT4_EXTENTS_FL) { + ext4_ext_truncate(inode); + return; + + +From greg@blue.kroah.org Tue Jun 9 02:41:10 2009 +Message-Id: <20090609094110.231154433@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 76/87] ext4: Automatically allocate delay allocated blocks on rename +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch +Content-Length: 1402 +Lines: 46 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 8750c6d5fcbd3342b3d908d157f81d345c5325a7) + +When renaming a file such that a link to another inode is overwritten, +force any delay allocated blocks that to be allocated so that if the +filesystem is mounted with data=ordered, the data blocks will be +pushed out to disk along with the journal commit. Many application +programs expect this, so we do this to avoid zero length files if the +system crashes unexpectedly. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2319,7 +2319,7 @@ static int ext4_rename(struct inode *old + struct inode *old_inode, *new_inode; + struct buffer_head *old_bh, *new_bh, *dir_bh; + struct ext4_dir_entry_2 *old_de, *new_de; +- int retval; ++ int retval, force_da_alloc = 0; + + old_bh = new_bh = dir_bh = NULL; + +@@ -2457,6 +2457,7 @@ static int ext4_rename(struct inode *old + ext4_mark_inode_dirty(handle, new_inode); + if (!new_inode->i_nlink) + ext4_orphan_add(handle, new_inode); ++ force_da_alloc = 1; + } + retval = 0; + +@@ -2465,6 +2466,8 @@ end_rename: + brelse(old_bh); + brelse(new_bh); + ext4_journal_stop(handle); ++ if (retval == 0 && force_da_alloc) ++ ext4_alloc_da_blocks(old_inode); + return retval; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:10 2009 +Message-Id: <20090609094110.456250714@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + "Aneesh Kumar K.V" , + Greg Kroah-Hartman +Subject: [patch 77/87] ext4: Fix discard of inode prealloc space with delayed allocation. +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch +Content-Length: 1790 +Lines: 51 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Aneesh Kumar K.V + +(cherry picked from commit d6014301b5599fba395c42a1e96a7fe86f7d0b2d) + +With delayed allocation we should not/cannot discard inode prealloc +space during file close. We would still have dirty pages for which we +haven't allocated blocks yet. With this fix after each get_blocks +request we check whether we have zero reserved blocks and if yes and +we don't have any writers on the file we discard inode prealloc space. + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/file.c | 3 ++- + fs/ext4/inode.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -39,7 +39,8 @@ static int ext4_release_file(struct inod + } + /* if we are the last writer on the inode, drop the block reservation */ + if ((filp->f_mode & FMODE_WRITE) && +- (atomic_read(&inode->i_writecount) == 1)) ++ (atomic_read(&inode->i_writecount) == 1) && ++ !EXT4_I(inode)->i_reserved_data_blocks) + { + down_write(&EXT4_I(inode)->i_data_sem); + ext4_discard_preallocations(inode); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1036,8 +1036,15 @@ static void ext4_da_update_reserve_space + /* update per-inode reservations */ + BUG_ON(used > EXT4_I(inode)->i_reserved_data_blocks); + EXT4_I(inode)->i_reserved_data_blocks -= used; +- + spin_unlock(&EXT4_I(inode)->i_block_reservation_lock); ++ ++ /* ++ * If we have done all the pending block allocations and if ++ * there aren't any writers on the inode, we can discard the ++ * inode's preallocations. ++ */ ++ if (!total && (atomic_read(&inode->i_writecount) == 0)) ++ ext4_discard_preallocations(inode); + } + + /* + + +From greg@blue.kroah.org Tue Jun 9 02:41:10 2009 +Message-Id: <20090609094110.692675455@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 78/87] ext4: Add auto_da_alloc mount option +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-add-auto_da_alloc-mount-option.patch +Content-Length: 5002 +Lines: 140 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit afd4672dc7610b7feef5190168aa917cc2e417e4) + +Add a mount option which allows the user to disable automatic +allocation of blocks whose allocation by delayed allocation when the +file was originally truncated or when the file is renamed over an +existing file. This feature is intended to save users from the +effects of naive application writers, but it reduces the effectiveness +of the delayed allocation code. This mount option disables this +safety feature, which may be desirable for prodcutions systems where +the risk of unclean shutdowns or unexpected system crashes is low. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 2 +- + fs/ext4/inode.c | 2 +- + fs/ext4/namei.c | 3 ++- + fs/ext4/super.c | 25 +++++++++++++------------ + 4 files changed, 17 insertions(+), 15 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -557,7 +557,7 @@ do { \ + #define EXT4_MOUNT_NO_UID32 0x02000 /* Disable 32-bit UIDs */ + #define EXT4_MOUNT_XATTR_USER 0x04000 /* Extended user attributes */ + #define EXT4_MOUNT_POSIX_ACL 0x08000 /* POSIX Access Control Lists */ +-#define EXT4_MOUNT_RESERVATION 0x10000 /* Preallocation */ ++#define EXT4_MOUNT_NO_AUTO_DA_ALLOC 0x10000 /* No auto delalloc mapping */ + #define EXT4_MOUNT_BARRIER 0x20000 /* Use block barriers */ + #define EXT4_MOUNT_NOBH 0x40000 /* No bufferheads */ + #define EXT4_MOUNT_QUOTA 0x80000 /* Some quota option set */ +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3887,7 +3887,7 @@ void ext4_truncate(struct inode *inode) + if (!ext4_can_truncate(inode)) + return; + +- if (inode->i_size == 0) ++ if (inode->i_size == 0 && !test_opt(inode->i_sb, NO_AUTO_DA_ALLOC)) + ei->i_state |= EXT4_STATE_DA_ALLOC_CLOSE; + + if (EXT4_I(inode)->i_flags & EXT4_EXTENTS_FL) { +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2457,7 +2457,8 @@ static int ext4_rename(struct inode *old + ext4_mark_inode_dirty(handle, new_inode); + if (!new_inode->i_nlink) + ext4_orphan_add(handle, new_inode); +- force_da_alloc = 1; ++ if (!test_opt(new_dir->i_sb, NO_AUTO_DA_ALLOC)) ++ force_da_alloc = 1; + } + retval = 0; + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -803,8 +803,6 @@ static int ext4_show_options(struct seq_ + if (!test_opt(sb, POSIX_ACL) && (def_mount_opts & EXT4_DEFM_ACL)) + seq_puts(seq, ",noacl"); + #endif +- if (!test_opt(sb, RESERVATION)) +- seq_puts(seq, ",noreservation"); + if (sbi->s_commit_interval != JBD2_DEFAULT_MAX_COMMIT_AGE*HZ) { + seq_printf(seq, ",commit=%u", + (unsigned) (sbi->s_commit_interval / HZ)); +@@ -855,6 +853,9 @@ static int ext4_show_options(struct seq_ + if (test_opt(sb, DATA_ERR_ABORT)) + seq_puts(seq, ",data_err=abort"); + ++ if (test_opt(sb, NO_AUTO_DA_ALLOC)) ++ seq_puts(seq, ",auto_da_alloc=0"); ++ + ext4_show_quota_options(seq, sb); + return 0; + } +@@ -1002,7 +1003,7 @@ enum { + Opt_resgid, Opt_resuid, Opt_sb, Opt_err_cont, Opt_err_panic, Opt_err_ro, + Opt_nouid32, Opt_debug, Opt_oldalloc, Opt_orlov, + Opt_user_xattr, Opt_nouser_xattr, Opt_acl, Opt_noacl, +- Opt_reservation, Opt_noreservation, Opt_noload, Opt_nobh, Opt_bh, ++ Opt_auto_da_alloc, Opt_noload, Opt_nobh, Opt_bh, + Opt_commit, Opt_min_batch_time, Opt_max_batch_time, + Opt_journal_update, Opt_journal_dev, + Opt_journal_checksum, Opt_journal_async_commit, +@@ -1037,8 +1038,6 @@ static const match_table_t tokens = { + {Opt_nouser_xattr, "nouser_xattr"}, + {Opt_acl, "acl"}, + {Opt_noacl, "noacl"}, +- {Opt_reservation, "reservation"}, +- {Opt_noreservation, "noreservation"}, + {Opt_noload, "noload"}, + {Opt_nobh, "nobh"}, + {Opt_bh, "bh"}, +@@ -1073,6 +1072,7 @@ static const match_table_t tokens = { + {Opt_nodelalloc, "nodelalloc"}, + {Opt_inode_readahead_blks, "inode_readahead_blks=%u"}, + {Opt_journal_ioprio, "journal_ioprio=%u"}, ++ {Opt_auto_da_alloc, "auto_da_alloc=%u"}, + {Opt_err, NULL}, + }; + +@@ -1205,12 +1205,6 @@ static int parse_options(char *options, + "not supported\n"); + break; + #endif +- case Opt_reservation: +- set_opt(sbi->s_mount_opt, RESERVATION); +- break; +- case Opt_noreservation: +- clear_opt(sbi->s_mount_opt, RESERVATION); +- break; + case Opt_journal_update: + /* @@@ FIXME */ + /* Eventually we will want to be able to create +@@ -1471,6 +1465,14 @@ set_qf_format: + *journal_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, + option); + break; ++ case Opt_auto_da_alloc: ++ if (match_int(&args[0], &option)) ++ return 0; ++ if (option) ++ clear_opt(sbi->s_mount_opt, NO_AUTO_DA_ALLOC); ++ else ++ set_opt(sbi->s_mount_opt,NO_AUTO_DA_ALLOC); ++ break; + default: + printk(KERN_ERR + "EXT4-fs: Unrecognized mount option \"%s\" " +@@ -2099,7 +2101,6 @@ static int ext4_fill_super(struct super_ + sbi->s_min_batch_time = EXT4_DEF_MIN_BATCH_TIME; + sbi->s_max_batch_time = EXT4_DEF_MAX_BATCH_TIME; + +- set_opt(sbi->s_mount_opt, RESERVATION); + set_opt(sbi->s_mount_opt, BARRIER); + + /* + + +From greg@blue.kroah.org Tue Jun 9 02:41:11 2009 +Message-Id: <20090609094110.922941731@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 79/87] ext4: Check for an valid i_mode when reading the inode from disk +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-check-for-an-valid-i_mode-when-reading-the-inode-from-disk.patch +Content-Length: 1153 +Lines: 37 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 563bdd61fe4dbd6b58cf7eb06f8d8f14479ae1dc) + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4367,7 +4367,8 @@ struct inode *ext4_iget(struct super_blo + inode->i_op = &ext4_symlink_inode_operations; + ext4_set_aops(inode); + } +- } else { ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + inode->i_op = &ext4_special_inode_operations; + if (raw_inode->i_block[0]) + init_special_inode(inode, inode->i_mode, +@@ -4375,6 +4376,13 @@ struct inode *ext4_iget(struct super_blo + else + init_special_inode(inode, inode->i_mode, + new_decode_dev(le32_to_cpu(raw_inode->i_block[1]))); ++ } else { ++ brelse(bh); ++ ret = -EIO; ++ ext4_error(inode->i_sb, __func__, ++ "bogus i_mode (%o) for inode=%lu", ++ inode->i_mode, inode->i_ino); ++ goto bad_inode; + } + brelse(iloc.bh); + ext4_set_inode_flags(inode); + + +From greg@blue.kroah.org Tue Jun 9 02:41:11 2009 +Message-Id: <20090609094111.149644013@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Jan Kara , + Lin Tan , + Greg Kroah-Hartman +Subject: [patch 80/87] jbd2: Update locking coments +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=jbd2-update-locking-coments.patch +Content-Length: 2410 +Lines: 65 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jan Kara + +(cherry picked from commit 86db97c87f744364d5889ca8a4134ca2048b8f83) + +Update information about locking in JBD2 revoke code. Inconsistency in +comments found by Lin Tan + +CC: Lin Tan +Signed-off-by: Jan Kara +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/revoke.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/fs/jbd2/revoke.c ++++ b/fs/jbd2/revoke.c +@@ -55,6 +55,25 @@ + * need do nothing. + * RevokeValid set, Revoked set: + * buffer has been revoked. ++ * ++ * Locking rules: ++ * We keep two hash tables of revoke records. One hashtable belongs to the ++ * running transaction (is pointed to by journal->j_revoke), the other one ++ * belongs to the committing transaction. Accesses to the second hash table ++ * happen only from the kjournald and no other thread touches this table. Also ++ * journal_switch_revoke_table() which switches which hashtable belongs to the ++ * running and which to the committing transaction is called only from ++ * kjournald. Therefore we need no locks when accessing the hashtable belonging ++ * to the committing transaction. ++ * ++ * All users operating on the hash table belonging to the running transaction ++ * have a handle to the transaction. Therefore they are safe from kjournald ++ * switching hash tables under them. For operations on the lists of entries in ++ * the hash table j_revoke_lock is used. ++ * ++ * Finally, also replay code uses the hash tables but at this moment noone else ++ * can touch them (filesystem isn't mounted yet) and hence no locking is ++ * needed. + */ + + #ifndef __KERNEL__ +@@ -401,8 +420,6 @@ int jbd2_journal_revoke(handle_t *handle + * the second time we would still have a pending revoke to cancel. So, + * do not trust the Revoked bit on buffers unless RevokeValid is also + * set. +- * +- * The caller must have the journal locked. + */ + int jbd2_journal_cancel_revoke(handle_t *handle, struct journal_head *jh) + { +@@ -480,10 +497,7 @@ void jbd2_journal_switch_revoke_table(jo + /* + * Write revoke records to the journal for all entries in the current + * revoke hash, deleting the entries as we go. +- * +- * Called with the journal lock held. + */ +- + void jbd2_journal_write_revoke_records(journal_t *journal, + transaction_t *transaction) + { + + +From greg@blue.kroah.org Tue Jun 9 02:41:11 2009 +Message-Id: <20090609094111.375778822@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 81/87] ext4: really print the find_group_flex fallback warning only once +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-really-print-the-find_group_flex-fallback-warning-only-once.patch +Content-Length: 853 +Lines: 31 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Chuck Ebbert + +(cherry picked from commit 6b82f3cb2d480b7714eb0ff61aee99c22160389e) + +Missing braces caused the warning to print more than once. + +Signed-Off-By: Chuck Ebbert +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ialloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -720,11 +720,12 @@ struct inode *ext4_new_inode(handle_t *h + ret2 = find_group_flex(sb, dir, &group); + if (ret2 == -1) { + ret2 = find_group_other(sb, dir, &group); +- if (ret2 == 0 && once) ++ if (ret2 == 0 && once) { + once = 0; + printk(KERN_NOTICE "ext4: find_group_flex " + "failed, fallback succeeded dir %lu\n", + dir->i_ino); ++ } + } + goto got_group; + } + + +From greg@blue.kroah.org Tue Jun 9 02:41:11 2009 +Message-Id: <20090609094111.622823567@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 82/87] ext4: Fix softlockup caused by illegal i_file_acl value in on-disk inode +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-fix-softlockup-caused-by-illegal-i_file_acl-value-in-on-disk-inode.patch +Content-Length: 1429 +Lines: 42 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 485c26ec70f823f2a9cf45982b724893e53a859e) + +If the block containing external extended attributes (which is stored +in i_file_acl and i_file_acl_high) is larger than the on-disk +filesystem, the process which tried to access the extended attributes +will endlessly issue kernel printks complaining that +"__find_get_block_slow() failed", locking up that CPU until the system +is forcibly rebooted. + +So when we read in the inode, make sure the i_file_acl value is legal, +and if not, flag the filesystem as being corrupted. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4351,6 +4351,18 @@ struct inode *ext4_iget(struct super_blo + (__u64)(le32_to_cpu(raw_inode->i_version_hi)) << 32; + } + ++ if (ei->i_file_acl && ++ ((ei->i_file_acl < ++ (le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block) + ++ EXT4_SB(sb)->s_gdb_count)) || ++ (ei->i_file_acl >= ext4_blocks_count(EXT4_SB(sb)->s_es)))) { ++ ext4_error(sb, __func__, ++ "bad extended attribute block %llu in inode #%lu", ++ ei->i_file_acl, inode->i_ino); ++ ret = -EIO; ++ goto bad_inode; ++ } ++ + if (S_ISREG(inode->i_mode)) { + inode->i_op = &ext4_file_inode_operations; + inode->i_fop = &ext4_file_operations; + + +From greg@blue.kroah.org Tue Jun 9 02:41:12 2009 +Message-Id: <20090609094111.858261931@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 83/87] ext4: Ignore i_file_acl_high unless EXT4_FEATURE_INCOMPAT_64BIT is present +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-ignore-i_file_acl_high-unless-ext4_feature_incompat_64bit-is-present.patch +Content-Length: 1248 +Lines: 33 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit a9e817425dc0baede8ebe5fbc9984a640257432b) + +Don't try to look at i_file_acl_high unless the INCOMPAT_64BIT feature +bit is set. The field is normally zero, but older versions of e2fsck +didn't automatically check to make sure of this, so in the spirit of +"be liberal in what you accept", don't look at i_file_acl_high unless +we are using a 64-bit filesystem. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4300,11 +4300,9 @@ struct inode *ext4_iget(struct super_blo + ei->i_flags = le32_to_cpu(raw_inode->i_flags); + inode->i_blocks = ext4_inode_blocks(raw_inode, ei); + ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo); +- if (EXT4_SB(inode->i_sb)->s_es->s_creator_os != +- cpu_to_le32(EXT4_OS_HURD)) { ++ if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_64BIT)) + ei->i_file_acl |= + ((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32; +- } + inode->i_size = ext4_isize(raw_inode); + ei->i_disksize = inode->i_size; + inode->i_generation = le32_to_cpu(raw_inode->i_generation); + + +From greg@blue.kroah.org Tue Jun 9 02:41:12 2009 +Message-Id: <20090609094112.103140898@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + "Aneesh Kumar K.V" , + Greg Kroah-Hartman +Subject: [patch 84/87] ext4: Fix sub-block zeroing for writes into preallocated extents +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-fix-sub-block-zeroing-for-writes-into-preallocated-extents.patch +Content-Length: 1564 +Lines: 50 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Aneesh Kumar K.V + +(cherry picked from commit 9c1ee184a30394e54165fa4c15923cabd952c106) + +We need to mark the buffer_head mapping preallocated space as new +during write_begin. Otherwise we don't zero out the page cache content +properly for a partial write. This will cause file corruption with +preallocation. + +Now that we mark the buffer_head new we also need to have a valid +buffer_head blocknr so that unmap_underlying_metadata() unmaps the +correct block. + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 2 ++ + fs/ext4/inode.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2776,6 +2776,8 @@ int ext4_ext_get_blocks(handle_t *handle + if (allocated > max_blocks) + allocated = max_blocks; + set_buffer_unwritten(bh_result); ++ bh_result->b_bdev = inode->i_sb->s_bdev; ++ bh_result->b_blocknr = newblock; + goto out2; + } + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2246,6 +2246,13 @@ static int ext4_da_get_block_prep(struct + set_buffer_delay(bh_result); + } else if (ret > 0) { + bh_result->b_size = (ret << inode->i_blkbits); ++ /* ++ * With sub-block writes into unwritten extents ++ * we also need to mark the buffer as new so that ++ * the unwritten parts of the buffer gets correctly zeroed. ++ */ ++ if (buffer_unwritten(bh_result)) ++ set_buffer_new(bh_result); + ret = 0; + } + + + +From greg@blue.kroah.org Tue Jun 9 02:41:12 2009 +Message-Id: <20090609094112.328089030@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + "Aneesh Kumar K.V" , + Greg Kroah-Hartman +Subject: [patch 85/87] ext4: Use a fake block number for delayed new buffer_head +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-use-a-fake-block-number-for-delayed-new-buffer_head.patch +Content-Length: 1266 +Lines: 39 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Aneesh Kumar K.V + +(cherry picked from commit 33b9817e2ae097c7b8d256e3510ac6c54fc6d9d0) + +Use a very large unsigned number (~0xffff) as as the fake block number +for the delayed new buffer. The VFS should never try to write out this +number, but if it does, this will make it obvious. + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2220,6 +2220,10 @@ static int ext4_da_get_block_prep(struct + struct buffer_head *bh_result, int create) + { + int ret = 0; ++ sector_t invalid_block = ~((sector_t) 0xffff); ++ ++ if (invalid_block < ext4_blocks_count(EXT4_SB(inode->i_sb)->s_es)) ++ invalid_block = ~0; + + BUG_ON(create == 0); + BUG_ON(bh_result->b_size != inode->i_sb->s_blocksize); +@@ -2241,7 +2245,7 @@ static int ext4_da_get_block_prep(struct + /* not enough space to reserve */ + return ret; + +- map_bh(bh_result, inode->i_sb, 0); ++ map_bh(bh_result, inode->i_sb, invalid_block); + set_buffer_new(bh_result); + set_buffer_delay(bh_result); + } else if (ret > 0) { + + +From greg@blue.kroah.org Tue Jun 9 02:41:12 2009 +Message-Id: <20090609094112.555068937@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + "Aneesh Kumar K.V" , + Greg Kroah-Hartman +Subject: [patch 86/87] ext4: Clear the unwritten buffer_head flag after the extent is initialized +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-clear-the-unwritten-buffer_head-flag-after-the-extent-is-initialized.patch +Content-Length: 2092 +Lines: 55 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Aneesh Kumar K.V + +(cherry picked from commit 2a8964d63d50dd2d65d71d342bc7fb6ef4117614) + +The BH_Unwritten flag indicates that the buffer is allocated on disk +but has not been written; that is, the disk was part of a persistent +preallocation area. That flag should only be set when a get_blocks() +function is looking up a inode's logical to physical block mapping. + +When ext4_get_blocks_wrap() is called with create=1, the uninitialized +extent is converted into an initialized one, so the BH_Unwritten flag +is no longer appropriate. Hence, we need to make sure the +BH_Unwritten is not left set, since the combination of BH_Mapped and +BH_Unwritten is not allowed; among other things, it will result ext4's +get_block() to be called over and over again during the write_begin +phase of write(2). + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1076,6 +1076,7 @@ int ext4_get_blocks_wrap(handle_t *handl + int retval; + + clear_buffer_mapped(bh); ++ clear_buffer_unwritten(bh); + + /* + * Try to see if we can get the block without requesting +@@ -1106,6 +1107,18 @@ int ext4_get_blocks_wrap(handle_t *handl + return retval; + + /* ++ * When we call get_blocks without the create flag, the ++ * BH_Unwritten flag could have gotten set if the blocks ++ * requested were part of a uninitialized extent. We need to ++ * clear this flag now that we are committed to convert all or ++ * part of the uninitialized extent to be an initialized ++ * extent. This is because we need to avoid the combination ++ * of BH_Unwritten and BH_Mapped flags being simultaneously ++ * set on the buffer_head. ++ */ ++ clear_buffer_unwritten(bh); ++ ++ /* + * New blocks allocate and/or writing to uninitialized extent + * will possibly result in updating i_data, so we take + * the write lock of i_data_sem, and call get_blocks() + + +From greg@blue.kroah.org Tue Jun 9 02:41:13 2009 +Message-Id: <20090609094112.789197843@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:40:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + linux-ext4@vger.kernel.org, + Greg Kroah-Hartman +Subject: [patch 87/87] ext4: Fix race in ext4_inode_info.i_cached_extent +References: <20090609093848.204935043@blue.kroah.org> +Content-Disposition: inline; filename=ext4-fix-race-in-ext4_inode_info.i_cached_extent.patch +Content-Length: 2526 +Lines: 78 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: "Theodore Ts'o" + +(cherry picked from commit 2ec0ae3acec47f628179ee95fe2c4da01b5e9fc4) + +If two CPU's simultaneously call ext4_ext_get_blocks() at the same +time, there is nothing protecting the i_cached_extent structure from +being used and updated at the same time. This could potentially cause +the wrong location on disk to be read or written to, including +potentially causing the corruption of the block group descriptors +and/or inode table. + +This bug has been in the ext4 code since almost the very beginning of +ext4's development. Fortunately once the data is stored in the page +cache cache, ext4_get_blocks() doesn't need to be called, so trying to +replicate this problem to the point where we could identify its root +cause was *extremely* difficult. Many thanks to Kevin Shanahan for +working over several months to be able to reproduce this easily so we +could finally nail down the cause of the corruption. + +Signed-off-by: "Theodore Ts'o" +Reviewed-by: "Aneesh Kumar K.V" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1740,11 +1740,13 @@ ext4_ext_put_in_cache(struct inode *inod + { + struct ext4_ext_cache *cex; + BUG_ON(len == 0); ++ spin_lock(&EXT4_I(inode)->i_block_reservation_lock); + cex = &EXT4_I(inode)->i_cached_extent; + cex->ec_type = type; + cex->ec_block = block; + cex->ec_len = len; + cex->ec_start = start; ++ spin_unlock(&EXT4_I(inode)->i_block_reservation_lock); + } + + /* +@@ -1801,12 +1803,17 @@ ext4_ext_in_cache(struct inode *inode, e + struct ext4_extent *ex) + { + struct ext4_ext_cache *cex; ++ int ret = EXT4_EXT_CACHE_NO; + ++ /* ++ * We borrow i_block_reservation_lock to protect i_cached_extent ++ */ ++ spin_lock(&EXT4_I(inode)->i_block_reservation_lock); + cex = &EXT4_I(inode)->i_cached_extent; + + /* has cache valid data? */ + if (cex->ec_type == EXT4_EXT_CACHE_NO) +- return EXT4_EXT_CACHE_NO; ++ goto errout; + + BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP && + cex->ec_type != EXT4_EXT_CACHE_EXTENT); +@@ -1817,11 +1824,11 @@ ext4_ext_in_cache(struct inode *inode, e + ext_debug("%u cached by %u:%u:%llu\n", + block, + cex->ec_block, cex->ec_len, cex->ec_start); +- return cex->ec_type; ++ ret = cex->ec_type; + } +- +- /* not in cache */ +- return EXT4_EXT_CACHE_NO; ++errout: ++ spin_unlock(&EXT4_I(inode)->i_block_reservation_lock); ++ return ret; + } + + /* + + +From greg@blue.kroah.org Tue Jun 9 02:40:52 2009 +Message-Id: <20090609093848.204935043@blue.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 09 Jun 2009 02:38:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/87] 2.6.29-stable review +Content-Length: 5142 +Lines: 106 + + +This is the start of the stable review cycle for the 2.6.29.5 release. +There are 87 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by June 11 09:00:00 UTC. Anything received +after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.29.5-rc1.gz +and the diffstat can be found below. + + +thanks, + +greg k-h + + + Documentation/filesystems/ext4.txt | 5 +- + Makefile | 2 +- + arch/powerpc/mm/tlb_nohash_low.S | 2 +- + arch/sparc/kernel/of_device_32.c | 21 ++++++- + arch/sparc/kernel/of_device_64.c | 21 ++++++- + arch/sparc/kernel/smp_64.c | 4 +- + arch/x86/kernel/hpet.c | 41 +++++++++--- + arch/x86/kvm/mmu.c | 3 +- + arch/x86/kvm/x86.c | 6 ++- + arch/x86/mm/hugetlbpage.c | 6 ++- + arch/x86/pci/mmconfig-shared.c | 6 +- + crypto/api.c | 3 +- + drivers/acpi/processor_idle.c | 8 ++- + drivers/block/xen-blkfront.c | 6 +- + drivers/char/random.c | 19 ++++-- + drivers/char/tpm/tpm_bios.c | 3 +- + drivers/crypto/padlock-aes.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 6 +- + drivers/hid/usbhid/hid-core.c | 2 +- + drivers/hwmon/lm78.c | 2 +- + drivers/ide/ide-io.c | 4 +- + drivers/ide/ide-iops.c | 21 +++++- + drivers/ide/ide-pci-generic.c | 11 +++ + drivers/ide/ide-tape.c | 6 -- + drivers/mtd/devices/mtd_dataflash.c | 2 +- + drivers/net/Makefile | 2 +- + drivers/net/bnx2.c | 2 + + drivers/net/bonding/bond_alb.c | 10 +--- + drivers/net/e1000/e1000_main.c | 5 +- + drivers/net/igb/igb_ethtool.c | 4 + + drivers/net/mac8390.c | 10 ++-- + drivers/net/macvlan.c | 9 ++- + drivers/net/myri10ge/myri10ge.c | 1 + + drivers/net/r8169.c | 102 +++++++++++++++++------------- + drivers/net/wireless/iwlwifi/iwl-sta.c | 21 +++--- + drivers/scsi/3w-xxxx.c | 5 +- + drivers/scsi/3w-xxxx.h | 2 +- + drivers/serial/icom.c | 2 +- + drivers/serial/mpc52xx_uart.c | 2 +- + drivers/usb/class/cdc-acm.c | 4 - + drivers/usb/host/isp1760-hcd.c | 24 +++++++- + drivers/usb/serial/ftdi_sio.c | 9 +--- + drivers/usb/serial/usb-serial.c | 1 + + fs/ext4/ext4.h | 30 +++++++++- + fs/ext4/extents.c | 19 ++++-- + fs/ext4/file.c | 7 ++- + fs/ext4/ialloc.c | 17 ++--- + fs/ext4/inode.c | 106 ++++++++++++++++++++++++++++++-- + fs/ext4/ioctl.c | 17 +++++- + fs/ext4/namei.c | 18 +++++- + fs/ext4/super.c | 25 ++++---- + fs/jbd2/revoke.c | 24 ++++++-- + fs/nfs/dir.c | 3 +- + include/linux/ptrace.h | 1 + + kernel/exit.c | 83 ++++++++++++------------- + kernel/futex.c | 24 ++++--- + kernel/ptrace.c | 25 ++++---- + mm/hugetlb.c | 26 ++++---- + mm/slub.c | 3 + + net/8021q/vlan_dev.c | 3 +- + net/core/pktgen.c | 2 +- + net/core/skbuff.c | 2 +- + net/ipv4/route.c | 60 ++++++------------ + net/ipv4/tcp.c | 5 +- + net/ipv4/tcp_input.c | 3 + + net/mac80211/rc80211_minstrel.c | 4 +- + net/mac80211/rc80211_pid_algo.c | 73 ++++++++++++---------- + net/rose/af_rose.c | 10 --- + net/sched/sch_teql.c | 5 +- + net/wimax/op-msg.c | 11 ++-- + net/wireless/reg.c | 7 ++ + net/xfrm/xfrm_state.c | 6 +- + security/keys/request_key.c | 9 ++- + security/selinux/hooks.c | 2 +- + sound/pci/hda/patch_realtek.c | 1 + + sound/usb/usbaudio.c | 2 +- + sound/usb/usbaudio.h | 2 +- + sound/usb/usbmidi.c | 12 +++- + sound/usb/usbquirks.h | 2 +- + virt/kvm/kvm_main.c | 1 + + 80 files changed, 692 insertions(+), 385 deletions(-) + diff --git a/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch b/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch index 03584fc71ea..d07cffe60fe 100644 --- a/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch +++ b/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch @@ -19,9 +19,13 @@ Acked-by: Josh Boyer Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/tlb_nohash_low.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/arch/powerpc/mm/tlb_nohash_low.S +++ b/arch/powerpc/mm/tlb_nohash_low.S -@@ -191,6 +191,6 @@ ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_TLBILX) +@@ -161,6 +161,6 @@ _GLOBAL(_tlbil_va) isync 1: wrtee r10 blr diff --git a/queue-2.6.29/series b/queue-2.6.29/series index 3077a2d3688..065350a8403 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -51,6 +51,7 @@ mac80211-pid-fix-memory-corruption.patch mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch bnx2-fix-panic-in-bnx2_poll_work.patch random-make-get_random_int-more-random.patch +avoid-ice-in-get_random_int-with-gcc-3.4.5.patch hid-fix-dropped-device-specific-quirks.patch 3w-xxxx-scsi_dma_unmap-fix.patch powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch