From: Greg Kroah-Hartman Date: Wed, 7 Mar 2007 01:59:53 +0000 (-0800) Subject: more patches added X-Git-Tag: v2.6.20.2~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5208ca74cc002f572b748115167760367f7f3102;p=thirdparty%2Fkernel%2Fstable-queue.git more patches added --- diff --git a/queue-2.6.20/forcedeth-disable-msix.patch b/queue-2.6.20/forcedeth-disable-msix.patch new file mode 100644 index 00000000000..febdd5a679c --- /dev/null +++ b/queue-2.6.20/forcedeth-disable-msix.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Thu Mar 1 16:06:43 2007 +From: Ayaz Abdulla +Date: Thu, 01 Mar 2007 19:05:16 -0500 +Subject: forcedeth: disable msix +To: linux-stable +Message-ID: <45E76A3C.1070907@redhat.com> + +From: Ayaz Abdulla + +forcedeth: disable msix + +There seems to be an issue when both MSI-X is enabled and NAPI is +configured. This patch disables MSI-X until the issue is root caused. + +Signed-off-by: Ayaz Abdulla +Signed-off-by: Jeff Garzik +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/forcedeth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/drivers/net/forcedeth.c ++++ linux-2.6.20.1/drivers/net/forcedeth.c +@@ -825,7 +825,7 @@ enum { + NV_MSIX_INT_DISABLED, + NV_MSIX_INT_ENABLED + }; +-static int msix = NV_MSIX_INT_ENABLED; ++static int msix = NV_MSIX_INT_DISABLED; + + /* + * DMA 64bit diff --git a/queue-2.6.20/jfs_fix_deadlock.patch b/queue-2.6.20/jfs_fix_deadlock.patch new file mode 100644 index 00000000000..adcb933cc68 --- /dev/null +++ b/queue-2.6.20/jfs_fix_deadlock.patch @@ -0,0 +1,58 @@ +From: Dave Kleikamp +Date: Wed Jan 17 21:18:35 2007 -0600 +Subject: JFS: call io_schedule() instead of schedule() to avoid deadlock + +From: Dave Kleikamp + +JFS: call io_schedule() instead of schedule() to avoid deadlock + +The introduction of Jens Axboe's explicit i/o plugging patches introduced a +deadlock in jfs. This was caused by the process initiating I/O not +unplugging the queue before waiting on the commit thread. The commit +thread itself was waiting for that I/O to complete. Calling io_schedule() +rather than schedule() unplugs the I/O queue avoiding the deadlock, and it +appears to be the right function to call in any case. + +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/jfs/jfs_lock.h | 2 +- + fs/jfs/jfs_metapage.c | 2 +- + fs/jfs/jfs_txnmgr.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- linux-2.6.20.1.orig/fs/jfs/jfs_lock.h ++++ linux-2.6.20.1/fs/jfs/jfs_lock.h +@@ -42,7 +42,7 @@ do { \ + if (cond) \ + break; \ + unlock_cmd; \ +- schedule(); \ ++ io_schedule(); \ + lock_cmd; \ + } \ + current->state = TASK_RUNNING; \ +--- linux-2.6.20.1.orig/fs/jfs/jfs_metapage.c ++++ linux-2.6.20.1/fs/jfs/jfs_metapage.c +@@ -56,7 +56,7 @@ static inline void __lock_metapage(struc + set_current_state(TASK_UNINTERRUPTIBLE); + if (metapage_locked(mp)) { + unlock_page(mp->page); +- schedule(); ++ io_schedule(); + lock_page(mp->page); + } + } while (trylock_metapage(mp)); +--- linux-2.6.20.1.orig/fs/jfs/jfs_txnmgr.c ++++ linux-2.6.20.1/fs/jfs/jfs_txnmgr.c +@@ -135,7 +135,7 @@ static inline void TXN_SLEEP_DROP_LOCK(w + add_wait_queue(event, &wait); + set_current_state(TASK_UNINTERRUPTIBLE); + TXN_UNLOCK(); +- schedule(); ++ io_schedule(); + current->state = TASK_RUNNING; + remove_wait_queue(event, &wait); + } diff --git a/queue-2.6.20/md_md5_6_bio_too_big_fix_fix.patch b/queue-2.6.20/md_md5_6_bio_too_big_fix_fix.patch new file mode 100644 index 00000000000..f1204e0c084 --- /dev/null +++ b/queue-2.6.20/md_md5_6_bio_too_big_fix_fix.patch @@ -0,0 +1,32 @@ +From: Neil Brown +Subject: export blk_recount_segments + +On Monday February 12, marcm@liquid-nexus.net wrote: +> > +> > Thanks for the quick response Neil unfortunately the kernel doesn't build with +> > this patch due to a missing symbol: +> > +> > WARNING: "blk_recount_segments" [drivers/md/raid456.ko] undefined! +> > +> > Is that in another file that needs patching or within raid5.c? + +Yes. I keep forgetting about that bit. Sorry. + +Signed-off-by: Neil Brown +Signed-off-by: Greg Kroah-Hartman + +--- + block/ll_rw_blk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/block/ll_rw_blk.c ++++ linux-2.6.20.1/block/ll_rw_blk.c +@@ -1264,7 +1264,7 @@ new_hw_segment: + bio->bi_hw_segments = nr_hw_segs; + bio->bi_flags |= (1 << BIO_SEG_VALID); + } +- ++EXPORT_SYMBOL(blk_recount_segments); + + static int blk_phys_contig_segment(request_queue_t *q, struct bio *bio, + struct bio *nxt) diff --git a/queue-2.6.20/nfnetlink_log_null_deref_fix.patch.patch b/queue-2.6.20/nfnetlink_log_null_deref_fix.patch.patch new file mode 100644 index 00000000000..43f16be9acd --- /dev/null +++ b/queue-2.6.20/nfnetlink_log_null_deref_fix.patch.patch @@ -0,0 +1,24 @@ +From: Michał Mirosław +Subject: Eliminate possible NULL pointer dereference in nfulnl_recv_config(). + +Eliminate possible NULL pointer dereference in nfulnl_recv_config(). + +Signed-off-by: Michał Mirosław +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c ++++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c +@@ -865,6 +865,9 @@ nfulnl_recv_config(struct sock *ctnl, st + ret = -EINVAL; + break; + } ++ ++ if (!inst) ++ goto out_null; + } else { + if (!inst) { + UDEBUG("no config command, and no instance for " diff --git a/queue-2.6.20/nfnetlink_log_refcounting_fix.patch.patch b/queue-2.6.20/nfnetlink_log_refcounting_fix.patch.patch new file mode 100644 index 00000000000..5fb6dbd2537 --- /dev/null +++ b/queue-2.6.20/nfnetlink_log_refcounting_fix.patch.patch @@ -0,0 +1,55 @@ +From: Michał Mirosław +Subject: Fix reference counting (memory leak) problem in __nfulnl_send() and callers related to packet queueing. + +Signed-off-by: Michał Mirosław +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- linux-2.6.20.1.orig/net/netfilter/nfnetlink_log.c ++++ linux-2.6.20.1/net/netfilter/nfnetlink_log.c +@@ -217,6 +217,11 @@ _instance_destroy2(struct nfulnl_instanc + + spin_lock_bh(&inst->lock); + if (inst->skb) { ++ /* timer "holds" one reference (we have one more) */ ++ if (timer_pending(&inst->timer)) { ++ del_timer(&inst->timer); ++ instance_put(inst); ++ } + if (inst->qlen) + __nfulnl_send(inst); + if (inst->skb) { +@@ -363,9 +368,6 @@ __nfulnl_send(struct nfulnl_instance *in + { + int status; + +- if (timer_pending(&inst->timer)) +- del_timer(&inst->timer); +- + if (!inst->skb) + return 0; + +@@ -392,6 +394,8 @@ static void nfulnl_timer(unsigned long d + UDEBUG("timer function called, flushing buffer\n"); + + spin_lock_bh(&inst->lock); ++ if (timer_pending(&inst->timer)) /* is it always true or false here? */ ++ del_timer(&inst->timer); + __nfulnl_send(inst); + instance_put(inst); + spin_unlock_bh(&inst->lock); +@@ -689,6 +693,11 @@ nfulnl_log_packet(unsigned int pf, + * enough room in the skb left. flush to userspace. */ + UDEBUG("flushing old skb\n"); + ++ /* timer "holds" one reference (we have another one) */ ++ if (timer_pending(&inst->timer)) { ++ del_timer(&inst->timer); ++ instance_put(inst); ++ } + __nfulnl_send(inst); + + if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) { diff --git a/queue-2.6.20/sched-fix-smt-scheduler-bug.patch b/queue-2.6.20/sched-fix-smt-scheduler-bug.patch new file mode 100644 index 00000000000..06e1e5d265d --- /dev/null +++ b/queue-2.6.20/sched-fix-smt-scheduler-bug.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Thu Mar 1 16:00:18 2007 +From: Ingo Molnar +Date: Thu, 01 Mar 2007 18:58:51 -0500 +Subject: sched: fix SMT scheduler bug +To: linux-stable +Message-ID: <45E768BB.6050500@redhat.com> + +From: Ingo Molnar + +[PATCH] sched: fix SMT scheduler bug + +The SMT scheduler incorrectly skips kernel threads even if they are +runnable (but they are preempted by a higher-prio user-space task which got +SMT-delayed by an even higher-priority task running on a sibling CPU). + +Fix this for now by only doing the SMT-nice optimization if the +to-be-delayed task is the only runnable task. (This should cover most of +the real-life cases anyway.) + +This bug has been in the SMT scheduler since 2.6.17 or so, but has only +been noticed now by the active check in the dynticks code. + +Signed-off-by: Ingo Molnar +Cc: Michal Piotrowski +Cc: Nick Piggin +Cc: Thomas Gleixner +Cc: Chuck Ebbert +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +--- + kernel/sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/kernel/sched.c ++++ linux-2.6.20.1/kernel/sched.c +@@ -3528,7 +3528,7 @@ need_resched_nonpreemptible: + } + } + next->sleep_type = SLEEP_NORMAL; +- if (dependent_sleeper(cpu, rq, next)) ++ if (rq->nr_running == 1 && dependent_sleeper(cpu, rq, next)) + next = rq->idle; + switch_tasks: + if (next == rq->idle) diff --git a/queue-2.6.20/series b/queue-2.6.20/series index cebd9bca094..dd57623965e 100644 --- a/queue-2.6.20/series +++ b/queue-2.6.20/series @@ -69,3 +69,10 @@ fix-100-cpu-spinning-on-sparc64.patch fix-tcp-md5-locking.patch don-t-add-anycast-reference-to-device-multiple-times.patch fix-anycast-procfs-device-leak.patch +nfnetlink_log_refcounting_fix.patch.patch +nfnetlink_log_null_deref_fix.patch.patch +md_md5_6_bio_too_big_fix_fix.patch +jfs_fix_deadlock.patch +forcedeth-disable-msix.patch +tty_io-fix-race-in-master-pty-close-slave-pty-close-path.patch +sched-fix-smt-scheduler-bug.patch diff --git a/queue-2.6.20/tty_io-fix-race-in-master-pty-close-slave-pty-close-path.patch b/queue-2.6.20/tty_io-fix-race-in-master-pty-close-slave-pty-close-path.patch new file mode 100644 index 00000000000..bb7c10edea1 --- /dev/null +++ b/queue-2.6.20/tty_io-fix-race-in-master-pty-close-slave-pty-close-path.patch @@ -0,0 +1,151 @@ +From stable-bounces@linux.kernel.org Thu Mar 1 16:04:13 2007 +From: Aristeu Sergio Rozanski Filho +Date: Thu, 01 Mar 2007 19:02:55 -0500 +Subject: tty_io: fix race in master pty close/slave pty close path +To: linux-stable +Message-ID: <45E769AF.4000608@redhat.com> + +From: Aristeu Sergio Rozanski Filho + +[PATCH] tty_io: fix race in master pty close/slave pty close path + +This patch fixes a possible race that leads to double freeing an idr index. + When the master begin to close, release_dev() is called and then +pty_close() is called: + + if (tty->driver->close) + tty->driver->close(tty, filp); + +This is done without helding any locks other than BKL. Inside pty_close(), +being a master close, the devpts entry will be removed: + +#ifdef CONFIG_UNIX98_PTYS + if (tty->driver == ptm_driver) + devpts_pty_kill(tty->index); +#endif + +But devpts_pty_kill() will call get_node() that may sleep while waiting for +&devpts_root->d_inode->i_sem. When this happens and the slave is being +opened, tty_open() just found the driver and index: + + driver = get_tty_driver(device, &index); + if (!driver) { + mutex_unlock(&tty_mutex); + return -ENODEV; + } + +This part of the code is already protected under tty_mute. The problem is +that the slave close already got an index. Then init_dev() is called and +blocks waiting for the same &devpts_root->d_inode->i_sem. + +When the master close resumes, it removes the devpts entry, and the +relation between idr index and the tty is gone. The master then sleeps +waiting for the tty_mutex on release_dev(). + +Slave open resumes and found no tty for that index. As result, a NULL tty +is returned and init_dev() doesn't flow to fast_track: + + /* check whether we're reopening an existing tty */ + if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { + tty = devpts_get_tty(idx); + if (tty && driver->subtype == PTY_TYPE_MASTER) + tty = tty->link; + } else { + tty = driver->ttys[idx]; + } + if (tty) goto fast_track; + +The result of this, is that a new tty will be created and init_dev() returns +sucessfull. After returning, tty_mutex is dropped and master close may resume. + +Master close finds it's the only use and both sides are closing, then releases +the tty and the index. At this point, the idr index is free, but slave still +has it. + +Slave open then calls pty_open() and finds that tty->link->count is 0, +because there's no master and returns error. Then tty_open() calls +release_dev() which executes without any warning, as it was a case of last +slave close when the master is already closed (master->count == 0, +slave->count == 1). The tty is then released with the already released idr +index. + +This normally would only issue a warning on idr_remove() but in case of a +customer's critical application, it's never too simple: + +thread1: opens master, gets index X +thread1: begin closing master +thread2: begin opening slave with index X +thread1: finishes closing master, index X released +thread3: opens master, gets index X, just released +thread2: fails opening slave, releases index X <---- +thread4: opens master, gets index X, init_dev() then find an already in use + and healthy tty and fails + +If no more indexes are released, ptmx_open() will keep failing, as the +first free index available is X, and it will make init_dev() fail because +you're trying to "reopen a master" which isn't valid. + +The patch notices when this race happens and make init_dev() fail +imediately. The init_dev() function is called with tty_mutex held, so it's +safe to continue with tty till the end of function because release_dev() +won't make any further changes without grabbing the tty_mutex. + +Without the patch, on some machines it's possible get easily idr warnings +like this one: + +idr_remove called for id=15 which is not allocated. + [] idr_remove+0x139/0x170 + [] release_mem+0x182/0x230 + [] release_dev+0x4b7/0x700 + [] tty_ldisc_enable+0x27/0x30 + [] init_dev+0x254/0x580 + [] check_tty_count+0x14/0xb0 + [] tty_open+0x1c5/0x340 + [] tty_open+0x0/0x340 + [] chrdev_open+0xaf/0x180 + [] open_namei+0x8c/0x760 + [] chrdev_open+0x0/0x180 + [] __dentry_open+0xc9/0x210 + [] do_filp_open+0x5c/0x70 + [] get_unused_fd+0x61/0xd0 + [] do_sys_open+0x53/0x100 + [] sys_open+0x27/0x30 + [] syscall_call+0x7/0xb + +using this test application available on: + http://www.ruivo.org/~aris/pty_sodomizer.c + +Signed-off-by: Aristeu Sergio Rozanski Filho +Cc: "H. Peter Anvin" +Cc: Chuck Ebbert +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tty_io.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- linux-2.6.20.1.orig/drivers/char/tty_io.c ++++ linux-2.6.20.1/drivers/char/tty_io.c +@@ -1891,6 +1891,20 @@ static int init_dev(struct tty_driver *d + /* check whether we're reopening an existing tty */ + if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { + tty = devpts_get_tty(idx); ++ /* ++ * If we don't have a tty here on a slave open, it's because ++ * the master already started the close process and there's ++ * no relation between devpts file and tty anymore. ++ */ ++ if (!tty && driver->subtype == PTY_TYPE_SLAVE) { ++ retval = -EIO; ++ goto end_init; ++ } ++ /* ++ * It's safe from now on because init_dev() is called with ++ * tty_mutex held and release_dev() won't change tty->count ++ * or tty->flags without having to grab tty_mutex ++ */ + if (tty && driver->subtype == PTY_TYPE_MASTER) + tty = tty->link; + } else {