From: Greg Kroah-Hartman Date: Wed, 29 Apr 2009 01:58:51 +0000 (-0700) Subject: some .27 patches X-Git-Tag: v2.6.27.22~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=572edc49af16368480c63ce43964c2012030cbea;p=thirdparty%2Fkernel%2Fstable-queue.git some .27 patches --- diff --git a/queue-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch b/queue-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch new file mode 100644 index 00000000000..89d41bb7d9d --- /dev/null +++ b/queue-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch @@ -0,0 +1,42 @@ +From 97ecdadc284e820931f27c6345b0ff8b85792346 Mon Sep 17 00:00:00 2001 +From: Etienne Basset +Date: Tue, 31 Mar 2009 23:54:11 +0200 +Subject: security/smack: fix oops when setting a size 0 SMACK64 xattr + +From: Etienne Basset + +upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f + +this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg +attr -S -s SMACK64 -V '' somefile +This oops because smk_import_entry treats a 0 length as SMK_MAXLEN + +Signed-off-by: Etienne Basset +Reviewed-by: James Morris +Acked-by: Casey Schaufler +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smack_lsm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -604,6 +604,8 @@ static int smack_inode_setxattr(struct d + strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { + if (!capable(CAP_MAC_ADMIN)) + rc = -EPERM; ++ if (size == 0) ++ rc = -EINVAL; + } else + rc = cap_inode_setxattr(dentry, name, value, size, flags); + +@@ -1360,7 +1362,7 @@ static int smack_inode_setsecurity(struc + struct socket *sock; + int rc = 0; + +- if (value == NULL || size > SMK_LABELLEN) ++ if (value == NULL || size > SMK_LABELLEN || size == 0) + return -EACCES; + + sp = smk_import(value, size); diff --git a/queue-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch b/queue-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch new file mode 100644 index 00000000000..975db821aac --- /dev/null +++ b/queue-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch @@ -0,0 +1,46 @@ +From 32626208c6548358e28b0857ad030b8a3fa12d86 Mon Sep 17 00:00:00 2001 +From: Michael K. Johnson +Date: Wed, 1 Apr 2009 20:40:02 +0000 +Subject: x86, setup: mark %esi as clobbered in E820 BIOS call + +From: Michael K. Johnson + +upstream commit: 01522df346f846906eaf6ca57148641476209909 + +Jordan Hargrave diagnosed a BIOS clobbering %esi in the E820 call. +That particular BIOS has been fixed, but there is a possibility that +this is responsible for other occasional reports of early boot +failure, and it does not hurt to add %esi to the clobbers. + +-stable candidate patch. + +Cc: Justin Forbes +Signed-off-by: Michael K Johnson +Signed-off-by: H. Peter Anvin +Cc: stable@kernel.org +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/memory.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/boot/memory.c ++++ b/arch/x86/boot/memory.c +@@ -27,13 +27,14 @@ static int detect_memory_e820(void) + do { + size = sizeof(struct e820entry); + +- /* Important: %edx is clobbered by some BIOSes, +- so it must be either used for the error output ++ /* Important: %edx and %esi are clobbered by some BIOSes, ++ so they must be either used for the error output + or explicitly marked clobbered. */ + asm("int $0x15; setc %0" + : "=d" (err), "+b" (next), "=a" (id), "+c" (size), + "=m" (*desc) +- : "D" (desc), "d" (SMAP), "a" (0xe820)); ++ : "D" (desc), "d" (SMAP), "a" (0xe820) ++ : "esi"); + + /* BIOSes which terminate the chain with CF = 1 as opposed + to %ebx = 0 don't always report the SMAP signature on diff --git a/queue-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch b/queue-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch new file mode 100644 index 00000000000..81b2d98ed3f --- /dev/null +++ b/queue-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch @@ -0,0 +1,35 @@ +From d4a0936d21ddba01f85daf686625f0004b896aae Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Fri, 3 Apr 2009 04:35:12 +0000 +Subject: mm: do_xip_mapping_read: fix length calculation + +From: Martin Schwidefsky + +upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8 + +The calculation of the value nr in do_xip_mapping_read is incorrect. If +the copy required more than one iteration in the do while loop the copies +variable will be non-zero. The maximum length that may be passed to the +call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the +check only compares against (nr > len). + +This bug is the cause for the heap corruption Carsten has been chasing +for so long: + +--- + mm/filemap_xip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/filemap_xip.c ++++ b/mm/filemap_xip.c +@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space + } + } + nr = nr - offset; +- if (nr > len) +- nr = len; ++ if (nr > len - copied) ++ nr = len - copied; + + error = mapping->a_ops->get_xip_mem(mapping, index, 0, + &xip_mem, &xip_pfn); diff --git a/queue-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch b/queue-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch new file mode 100644 index 00000000000..cd8b2edd5a9 --- /dev/null +++ b/queue-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch @@ -0,0 +1,95 @@ +From 187ab6618c3afae07d5ca0727966ea461e5d07a7 Mon Sep 17 00:00:00 2001 +From: Wu Fengguang +Date: Fri, 3 Apr 2009 04:35:14 +0000 +Subject: vfs: skip I_CLEAR state inodes + +From: Wu Fengguang + +upstream commit: b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd + +clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so +_outside_ of inode_lock. So any I_FREEING testing is incomplete without a +coupled testing of I_CLEAR. + +So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and +add_dquot_ref(). + +Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara +reminds fixing the other two cases. + +Masayoshi MIZUMA has a nice panic flow: + +===================================================================== + [process A] | [process B] + | | + | prune_icache() | drop_pagecache() + | spin_lock(&inode_lock) | drop_pagecache_sb() + | inode->i_state |= I_FREEING; | | + | spin_unlock(&inode_lock) | V + | | | spin_lock(&inode_lock) + | V | | + | dispose_list() | | + | list_del() | | + | clear_inode() | | + | inode->i_state = I_CLEAR | | + | | | V + | | | if (inode->i_state & (I_FREEING|I_WILL_FREE)) + | | | continue; <==== NOT MATCH + | | | + | | | (DANGER from here on! Accessing disposing inode!) + | | | + | | | __iget() + | | | list_move() <===== PANIC on poisoned list !! + V V | +(time) +===================================================================== + +Reported-by: Masayoshi MIZUMA +Reviewed-by: Jan Kara +Signed-off-by: Wu Fengguang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[chrisw: backport to 2.6.29] +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/dquot.c | 2 +- + fs/drop_caches.c | 2 +- + fs/fs-writeback.c | 3 ++- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/dquot.c ++++ b/fs/dquot.c +@@ -726,7 +726,7 @@ static void add_dquot_ref(struct super_b + continue; + if (!dqinit_needed(inode, type)) + continue; +- if (inode->i_state & (I_FREEING|I_WILL_FREE)) ++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE)) + continue; + + __iget(inode); +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct sup + + spin_lock(&inode_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { +- if (inode->i_state & (I_FREEING|I_WILL_FREE)) ++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE)) + continue; + if (inode->i_mapping->nrpages == 0) + continue; +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -538,7 +538,8 @@ void generic_sync_sb_inodes(struct super + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + struct address_space *mapping; + +- if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) ++ if (inode->i_state & ++ (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW)) + continue; + mapping = inode->i_mapping; + if (mapping->nrpages == 0) diff --git a/queue-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch b/queue-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch new file mode 100644 index 00000000000..7dc15d7ac92 --- /dev/null +++ b/queue-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch @@ -0,0 +1,68 @@ +From 33d06566b593703a972da232d08b6a12176f1854 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Fri, 27 Mar 2009 00:28:21 -0700 +Subject: af_rose/x25: Sanity check the maximum user frame size + +From: Alan Cox + +upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 + +CVE-2009-0795. + +Otherwise we can wrap the sizes and end up sending garbage. + +Closes #10423 + +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 6 +++++- + net/rose/af_rose.c | 4 ++++ + net/x25/af_x25.c | 6 ++++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb + + SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); + +- /* Build a packet */ ++ /* Build a packet - the conventional user limit is 236 bytes. We can ++ do ludicrously large NetROM frames but must not overflow */ ++ if (len > 65536) ++ return -EMSGSIZE; ++ + SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); + size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1120,6 +1120,10 @@ static int rose_sendmsg(struct kiocb *io + + /* Build a packet */ + SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); ++ /* Sanity check the packet size */ ++ if (len > 65535) ++ return -EMSGSIZE; ++ + size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; + + if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc + sx25.sx25_addr = x25->dest_addr; + } + ++ /* Sanity check the packet size */ ++ if (len > 65535) { ++ rc = -EMSGSIZE; ++ goto out; ++ } ++ + SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); + + /* Build a packet */ diff --git a/queue-2.6.27/0044-net-netrom-Fix-socket-locking.patch b/queue-2.6.27/0044-net-netrom-Fix-socket-locking.patch new file mode 100644 index 00000000000..6dbbd1e55bd --- /dev/null +++ b/queue-2.6.27/0044-net-netrom-Fix-socket-locking.patch @@ -0,0 +1,37 @@ +From df5b6025d1a9e2e61dde1fd28257082751264c07 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Wed, 22 Apr 2009 00:49:51 -0700 +Subject: net/netrom: Fix socket locking + +From: Jean Delvare + +upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab + +Patch "af_rose/x25: Sanity check the maximum user frame size" +(commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got +locking wrong. If we bail out due to user frame size being too large, +we must unlock the socket beforehand. + +Signed-off-by: Jean Delvare +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1084,8 +1084,10 @@ static int nr_sendmsg(struct kiocb *iocb + + /* Build a packet - the conventional user limit is 236 bytes. We can + do ludicrously large NetROM frames but must not overflow */ +- if (len > 65536) +- return -EMSGSIZE; ++ if (len > 65536) { ++ err = -EMSGSIZE; ++ goto out; ++ } + + SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); + size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; diff --git a/queue-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch b/queue-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch new file mode 100644 index 00000000000..1b004d2690e --- /dev/null +++ b/queue-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch @@ -0,0 +1,70 @@ +From 6bc1b5deb47f0fc3d697abd2fcd417618cf07e3f Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Mon, 6 Apr 2009 17:31:29 +0200 +Subject: netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection + +From: Patrick McHardy + +upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558 + +Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case +search for loops) introduced a regression in the loop detection algorithm, +causing sporadic incorrectly detected loops. + +When a chain has already been visited during the check, it is treated as +having a standard target containing a RETURN verdict directly at the +beginning in order to not check it again. The real target of the first +rule is then incorrectly treated as STANDARD target and checked not to +contain invalid verdicts. + +Fix by making sure the rule does actually contain a standard target. + +Based on patch by Francis Dupont +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/arp_tables.c | 4 +++- + net/ipv4/netfilter/ip_tables.c | 4 +++- + net/ipv6/netfilter/ip6_tables.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -372,7 +372,9 @@ static int mark_source_chains(struct xt_ + && unconditional(&e->arp)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ ARPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -502,7 +502,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ip)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -529,7 +529,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ipv6)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IP6T_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); diff --git a/queue-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch b/queue-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch new file mode 100644 index 00000000000..7e5409c0d22 --- /dev/null +++ b/queue-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch @@ -0,0 +1,118 @@ +From ed960ac61e12e298d1cdcd52b21b9ee07d36755c Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 7 Apr 2009 16:25:02 +0000 +Subject: splice: fix deadlock in splicing to file + +From: Miklos Szeredi + +upstream commit: 7bfac9ecf0585962fe13584f5cf526d8c8e76f17 + +There's a possible deadlock in generic_file_splice_write(), +splice_from_pipe() and ocfs2_file_splice_write(): + + - task A calls generic_file_splice_write() + - this calls inode_double_lock(), which locks i_mutex on both + pipe->inode and target inode + - ordering depends on inode pointers, can happen that pipe->inode is + locked first + - __splice_from_pipe() needs more data, calls pipe_wait() + - this releases lock on pipe->inode, goes to interruptible sleep + - task B calls generic_file_splice_write(), similarly to the first + - this locks pipe->inode, then tries to lock inode, but that is + already held by task A + - task A is interrupted, it tries to lock pipe->inode, but fails, as + it is already held by task B + - ABBA deadlock + +Fix this by explicitly ordering locks: the outer lock must be on +target inode and the inner lock (which is later unlocked and relocked) +must be on pipe->inode. This is OK, pipe inodes and target inodes +form two nonoverlapping sets, generic_file_splice_write() and friends +are not called with a target which is a pipe. + +Signed-off-by: Miklos Szeredi +Acked-by: Mark Fasheh +Acked-by: Jens Axboe +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 8 ++++++-- + fs/splice.c | 25 ++++++++++++++++++++----- + 2 files changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2089,7 +2089,7 @@ static ssize_t ocfs2_file_splice_write(s + out->f_path.dentry->d_name.len, + out->f_path.dentry->d_name.name); + +- inode_double_lock(inode, pipe->inode); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); + + ret = ocfs2_rw_lock(inode, 1); + if (ret < 0) { +@@ -2104,12 +2104,16 @@ static ssize_t ocfs2_file_splice_write(s + goto out_unlock; + } + ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); + + out_unlock: + ocfs2_rw_unlock(inode, 1); + out: +- inode_double_unlock(inode, pipe->inode); ++ mutex_unlock(&inode->i_mutex); + + mlog_exit(ret); + return ret; +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -735,10 +735,19 @@ ssize_t splice_from_pipe(struct pipe_ino + * ->commit_write. Most of the time, these expect i_mutex to + * be held. Since this may result in an ABBA deadlock with + * pipe->inode, we have to order lock acquiry here. ++ * ++ * Outer lock must be inode->i_mutex, as pipe_wait() will ++ * release and reacquire pipe->inode->i_mutex, AND inode must ++ * never be a pipe. + */ +- inode_double_lock(inode, pipe->inode); ++ WARN_ON(S_ISFIFO(inode->i_mode)); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = __splice_from_pipe(pipe, &sd, actor); +- inode_double_unlock(inode, pipe->inode); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); ++ mutex_unlock(&inode->i_mutex); + + return ret; + } +@@ -829,11 +838,17 @@ generic_file_splice_write(struct pipe_in + }; + ssize_t ret; + +- inode_double_lock(inode, pipe->inode); ++ WARN_ON(S_ISFIFO(inode->i_mode)); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); + ret = file_remove_suid(out); +- if (likely(!ret)) ++ if (likely(!ret)) { ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = __splice_from_pipe(pipe, &sd, pipe_to_file); +- inode_double_unlock(inode, pipe->inode); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); ++ } ++ mutex_unlock(&inode->i_mutex); + if (ret > 0) { + unsigned long nr_pages; + diff --git a/queue-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch b/queue-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch new file mode 100644 index 00000000000..6d1025a26cf --- /dev/null +++ b/queue-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch @@ -0,0 +1,28 @@ +From 37a8bca218bf6c4cad295b7d250c3590f57e3cf6 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Tue, 7 Apr 2009 16:25:04 +0000 +Subject: ALSA: hda - add missing comma in ad1884_slave_vols + +From: Akinobu Mita + +upstream commit: bca68467b59a24396554d8dd5979ee363c174854 + +Signed-off-by: Akinobu Mita +Signed-off-by: Takashi Iwai +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_analog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -3220,7 +3220,7 @@ static const char *ad1884_slave_vols[] = + "Mic Playback Volume", + "CD Playback Volume", + "Internal Mic Playback Volume", +- "Docking Mic Playback Volume" ++ "Docking Mic Playback Volume", + "Beep Playback Volume", + "IEC958 Playback Volume", + NULL diff --git a/queue-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch b/queue-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch new file mode 100644 index 00000000000..bdb17f3fabf --- /dev/null +++ b/queue-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch @@ -0,0 +1,47 @@ +From 10b9c3cd8848919561d16570759c0146988cb8d5 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Thu, 5 Mar 2009 14:45:55 -0600 +Subject: SCSI: libiscsi: fix iscsi pool error path + +From: Jean Delvare + +upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b + +Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool +can be NULL and this should be tested before dereferencing it, or it +can't be NULL and it shouldn't be tested at all. As far as I can see, +the only case where q->pool is NULL is on early error in +iscsi_pool_init(). One possible way to fix the bug is thus to not +call iscsi_pool_free() in this case (nothing needs to be freed anyway) +and then we can get rid of the q->pool check. + +Signed-off-by: Jean Delvare +Signed-off-by: Mike Christie +Signed-off-by: James Bottomley +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1807,7 +1807,7 @@ iscsi_pool_init(struct iscsi_pool *q, in + num_arrays++; + q->pool = kzalloc(num_arrays * max * sizeof(void*), GFP_KERNEL); + if (q->pool == NULL) +- goto enomem; ++ return -ENOMEM; + + q->queue = kfifo_init((void*)q->pool, max * sizeof(void*), + GFP_KERNEL, NULL); +@@ -1842,8 +1842,7 @@ void iscsi_pool_free(struct iscsi_pool * + + for (i = 0; i < q->max; i++) + kfree(q->pool[i]); +- if (q->pool) +- kfree(q->pool); ++ kfree(q->pool); + kfree(q->queue); + } + EXPORT_SYMBOL_GPL(iscsi_pool_free); diff --git a/queue-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch b/queue-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch new file mode 100644 index 00000000000..67b0ba2740e --- /dev/null +++ b/queue-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch @@ -0,0 +1,50 @@ +From b76d2b612cd5c0c6fb82340f9ec241ca75b942f9 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Wed, 1 Apr 2009 13:11:29 -0500 +Subject: SCSI: libiscsi: fix iscsi pool error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: 8bit + +From: Jean Delvare + +upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522 + +Le lundi 30 mars 2009, Chris Wright a écrit : +> q->queue could be ERR_PTR(-ENOMEM) which will break unwinding +> on error. Make iscsi_pool_free more defensive. +> + +Making the freeing of q->queue dependent on q->pool being set looks +really weird (although it is correct at the moment. But this seems +to be fixable in a much simpler way. + +With the benefit that only the error case is slowed down. In both +cases we have a problem if q->queue contains an error value but it's +not -ENOMEM. Apparently this can't happen today, but it doesn't feel +right to assume this will always be true. Maybe it's the right time +to fix this as well. + +Signed-off-by: Mike Christie +Signed-off-by: James Bottomley +[chrisw: this is a fixlet to f474a37b, also in -stable] +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1811,8 +1811,10 @@ iscsi_pool_init(struct iscsi_pool *q, in + + q->queue = kfifo_init((void*)q->pool, max * sizeof(void*), + GFP_KERNEL, NULL); +- if (q->queue == ERR_PTR(-ENOMEM)) ++ if (IS_ERR(q->queue)) { ++ q->queue = NULL; + goto enomem; ++ } + + for (i = 0; i < max; i++) { + q->pool[i] = kzalloc(item_size, GFP_KERNEL); diff --git a/queue-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch b/queue-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch new file mode 100644 index 00000000000..bdd47351a60 --- /dev/null +++ b/queue-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch @@ -0,0 +1,52 @@ +From 3f22ebd2f4d191631a7b867addc8bd99e948873f Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 9 Apr 2009 18:20:02 +0000 +Subject: sched: do not count frozen tasks toward load + +From: Nathan Lynch + +upstream commit: e3c8ca8336707062f3f7cb1cd7e6b3c753baccdd + +Freezing tasks via the cgroup freezer causes the load average to climb +because the freezer's current implementation puts frozen tasks in +uninterruptible sleep (D state). + +Some applications which perform job-scheduling functions consult the +load average when making decisions. If a cgroup is frozen, the load +average does not provide a useful measure of the system's utilization +to such applications. This is especially inconvenient if the job +scheduler employs the cgroup freezer as a mechanism for preempting low +priority jobs. Contrast this with using SIGSTOP for the same purpose: +the stopped tasks do not count toward system load. + +Change task_contributes_to_load() to return false if the task is +frozen. This results in /proc/loadavg behavior that better meets +users' expectations. + +Signed-off-by: Nathan Lynch +Acked-by: Andrew Morton +Acked-by: Nigel Cunningham +Tested-by: Nigel Cunningham +Cc: containers@lists.linux-foundation.org +Cc: linux-pm@lists.linux-foundation.org +Cc: Matt Helsley +LKML-Reference: <20090408194512.47a99b95@manatee.lan> +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -201,7 +201,8 @@ extern unsigned long long time_sync_thre + #define task_is_stopped_or_traced(task) \ + ((task->state & (__TASK_STOPPED | __TASK_TRACED)) != 0) + #define task_contributes_to_load(task) \ +- ((task->state & TASK_UNINTERRUPTIBLE) != 0) ++ ((task->state & TASK_UNINTERRUPTIBLE) != 0 && \ ++ (task->flags & PF_FROZEN) == 0) + + #define __set_task_state(tsk, state_value) \ + do { (tsk)->state = (state_value); } while (0) diff --git a/queue-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch b/queue-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch new file mode 100644 index 00000000000..e2c968bac29 --- /dev/null +++ b/queue-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch @@ -0,0 +1,80 @@ +From d11a29e323dfd141183cdc918e31acdff02ef450 Mon Sep 17 00:00:00 2001 +From: Serge E. Hallyn +Date: Mon, 13 Apr 2009 17:25:03 +0000 +Subject: add some long-missing capabilities to fs_mask + +From: Serge E. Hallyn + +upstream commit: 0ad30b8fd5fe798aae80df6344b415d8309342cc + +When POSIX capabilities were introduced during the 2.1 Linux +cycle, the fs mask, which represents the capabilities which having +fsuid==0 is supposed to grant, did not include CAP_MKNOD and +CAP_LINUX_IMMUTABLE. However, before capabilities the privilege +to call these did in fact depend upon fsuid==0. + +This patch introduces those capabilities into the fsmask, +restoring the old behavior. + +See the thread starting at http://lkml.org/lkml/2009/3/11/157 for +reference. + +Note that if this fix is deemed valid, then earlier kernel versions (2.4 +and 2.2) ought to be fixed too. + +Changelog: + [Mar 23] Actually delete old CAP_FS_SET definition... + [Mar 20] Updated against J. Bruce Fields's patch + +Reported-by: Igor Zhbanov +Signed-off-by: Serge E. Hallyn +Cc: stable@kernel.org +Cc: J. Bruce Fields +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/capability.h | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -366,7 +366,21 @@ typedef struct kernel_cap_struct { + #define CAP_FOR_EACH_U32(__capi) \ + for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) + ++/* ++ * CAP_FS_MASK and CAP_NFSD_MASKS: ++ * ++ * The fs mask is all the privileges that fsuid==0 historically meant. ++ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. ++ * ++ * It has never meant setting security.* and trusted.* xattrs. ++ * ++ * We could also define fsmask as follows: ++ * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions ++ * 2. The security.* and trusted.* xattrs are fs-related MAC permissions ++ */ ++ + # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ ++ | CAP_TO_MASK(CAP_MKNOD) \ + | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ + | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ + | CAP_TO_MASK(CAP_FOWNER) \ +@@ -381,11 +395,12 @@ typedef struct kernel_cap_struct { + # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) + # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) + # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}) +-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } }) ++# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ ++ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ ++ CAP_FS_MASK_B1 } }) + # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ +- | CAP_TO_MASK(CAP_SYS_RESOURCE) \ +- | CAP_TO_MASK(CAP_MKNOD), \ +- CAP_FS_MASK_B1 } }) ++ | CAP_TO_MASK(CAP_SYS_RESOURCE), \ ++ CAP_FS_MASK_B1 } }) + + #endif /* _KERNEL_CAPABILITY_U32S != 2 */ + diff --git a/queue-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch b/queue-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch new file mode 100644 index 00000000000..acfe0ae3077 --- /dev/null +++ b/queue-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch @@ -0,0 +1,62 @@ +From 6c6737beae9981a707c1a4e1e9f1baf7cc47ce5f Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Wed, 15 Apr 2009 17:25:05 +0000 +Subject: powerpc: Fix data-corrupting bug in __futex_atomic_op + +From: Paul Mackerras + +upstream commit: 306a82881b14d950d59e0b59a55093a07d82aa9a + +Richard Henderson pointed out that the powerpc __futex_atomic_op has a +bug: it will write the wrong value if the stwcx. fails and it has to +retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten +by the result from the first time around the loop. This happens +because it uses the same register for 'oparg' (an input) as it uses +for the result. + +This fixes it by using separate registers for 'oparg' and 'ret'. + +Cc: stable@kernel.org +Signed-off-by: Paul Mackerras +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/futex.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/futex.h ++++ b/arch/powerpc/include/asm/futex.h +@@ -27,7 +27,7 @@ + PPC_LONG "1b,4b,2b,4b\n" \ + ".previous" \ + : "=&r" (oldval), "=&r" (ret) \ +- : "b" (uaddr), "i" (-EFAULT), "1" (oparg) \ ++ : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \ + : "cr0", "memory") + + static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr) +@@ -47,19 +47,19 @@ static inline int futex_atomic_op_inuser + + switch (op) { + case FUTEX_OP_SET: +- __futex_atomic_op("", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op("add %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_OR: +- __futex_atomic_op("or %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ANDN: +- __futex_atomic_op("andc %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_XOR: +- __futex_atomic_op("xor %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + default: + ret = -ENOSYS; diff --git a/queue-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch b/queue-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch new file mode 100644 index 00000000000..5236dbfc838 --- /dev/null +++ b/queue-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch @@ -0,0 +1,46 @@ +From 2a3403fd95cbf6f548198be0fd37a056d12a56fe Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 18 Apr 2009 17:42:19 +0200 +Subject: hpt366: fix HPT370 DMA timeouts + +From: Sergei Shtylyov + +upstream commit: c018f1ee5cf81e58b93d9e93a2ee39cad13dc1ac + +The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A] +chips -- DMA stopped to work completely, only causing endless timeouts... + +The culprit has been identified (at last!): it turned to be the code resetting +the DMA state machine before each transfer. Stop doing it now as this counter- +measure has clearly caused more harm than good. + +This should fix the kernel.org bug #7703. + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ide/pci/hpt366.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ide/pci/hpt366.c ++++ b/drivers/ide/pci/hpt366.c +@@ -114,6 +114,8 @@ + * the register setting lists into the table indexed by the clock selected + * - set the correct hwif->ultra_mask for each individual chip + * - add Ultra and MW DMA mode filtering for the HPT37[24] based SATA cards ++ * - stop resetting HPT370's state machine before each DMA transfer as that has ++ * caused more harm than good + * Sergei Shtylyov, or + */ + +@@ -134,7 +136,7 @@ + #define DRV_NAME "hpt366" + + /* various tuning parameters */ +-#define HPT_RESET_STATE_ENGINE ++#undef HPT_RESET_STATE_ENGINE + #undef HPT_DELAY_INTERRUPT + #define HPT_SERIALIZE_IO 0 + diff --git a/queue-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch b/queue-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch new file mode 100644 index 00000000000..072d6503381 --- /dev/null +++ b/queue-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch @@ -0,0 +1,73 @@ +From d683876908060916ada0091d1db3b09afccb1517 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Tue, 14 Apr 2009 18:39:14 +0400 +Subject: pata_hpt37x: fix HPT370 DMA timeouts + +From: Sergei Shtylyov + +upstream commit: 265b7215aed36941620b65ecfff516200fb190c1 + +The libata driver has copied the code from the IDE driver which caused a post +2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely, +only causing timeouts. Now remove hpt370_bmdma_start() for good... + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Jeff Garzik +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_hpt37x.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/ata/pata_hpt37x.c ++++ b/drivers/ata/pata_hpt37x.c +@@ -8,7 +8,7 @@ + * Copyright (C) 1999-2003 Andre Hedrick + * Portions Copyright (C) 2001 Sun Microsystems, Inc. + * Portions Copyright (C) 2003 Red Hat Inc +- * Portions Copyright (C) 2005-2007 MontaVista Software, Inc. ++ * Portions Copyright (C) 2005-2009 MontaVista Software, Inc. + * + * TODO + * Look into engine reset on timeout errors. Should not be required. +@@ -24,7 +24,7 @@ + #include + + #define DRV_NAME "pata_hpt37x" +-#define DRV_VERSION "0.6.11" ++#define DRV_VERSION "0.6.12" + + struct hpt_clock { + u8 xfer_speed; +@@ -445,23 +445,6 @@ static void hpt370_set_dmamode(struct at + } + + /** +- * hpt370_bmdma_start - DMA engine begin +- * @qc: ATA command +- * +- * The 370 and 370A want us to reset the DMA engine each time we +- * use it. The 372 and later are fine. +- */ +- +-static void hpt370_bmdma_start(struct ata_queued_cmd *qc) +-{ +- struct ata_port *ap = qc->ap; +- struct pci_dev *pdev = to_pci_dev(ap->host->dev); +- pci_write_config_byte(pdev, 0x50 + 4 * ap->port_no, 0x37); +- udelay(10); +- ata_bmdma_start(qc); +-} +- +-/** + * hpt370_bmdma_end - DMA engine stop + * @qc: ATA command + * +@@ -598,7 +581,6 @@ static struct scsi_host_template hpt37x_ + static struct ata_port_operations hpt370_port_ops = { + .inherits = &ata_bmdma_port_ops, + +- .bmdma_start = hpt370_bmdma_start, + .bmdma_stop = hpt370_bmdma_stop, + + .mode_filter = hpt370_filter, diff --git a/queue-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch b/queue-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch new file mode 100644 index 00000000000..6c569615546 --- /dev/null +++ b/queue-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch @@ -0,0 +1,48 @@ +From 5c435c37e2652e5d066dc81fcc108a0dffbdb33d Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Fri, 17 Apr 2009 21:20:10 +0000 +Subject: usb gadget: fix ethernet link reports to ethtool + +From: Jonathan McDowell + +upstream commit: 237e75bf1e558f7330f8deb167fa3116405bef2c + +The g_ether USB gadget driver currently decides whether or not there's a +link to report back for eth_get_link based on if the USB link speed is +set. The USB gadget speed is however often set even before the device is +enumerated. It seems more sensible to only report a "link" if we're +actually connected to a host that wants to talk to us. The patch below +does this for me - tested with the PXA27x UDC driver. + +Signed-off-by: Jonathan McDowell +Signed-off-by: David Brownell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/gadget/u_ether.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/usb/gadget/u_ether.c ++++ b/drivers/usb/gadget/u_ether.c +@@ -175,12 +175,6 @@ static void eth_get_drvinfo(struct net_d + strlcpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof p->bus_info); + } + +-static u32 eth_get_link(struct net_device *net) +-{ +- struct eth_dev *dev = netdev_priv(net); +- return dev->gadget->speed != USB_SPEED_UNKNOWN; +-} +- + /* REVISIT can also support: + * - WOL (by tracking suspends and issuing remote wakeup) + * - msglevel (implies updated messaging) +@@ -189,7 +183,7 @@ static u32 eth_get_link(struct net_devic + + static struct ethtool_ops ops = { + .get_drvinfo = eth_get_drvinfo, +- .get_link = eth_get_link ++ .get_link = ethtool_op_get_link, + }; + + static void defer_kevent(struct eth_dev *dev, int flag) diff --git a/queue-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch b/queue-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch new file mode 100644 index 00000000000..aa54e121105 --- /dev/null +++ b/queue-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch @@ -0,0 +1,43 @@ +From 082240d79158decfc9918b96487da38a750b4d1d Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Fri, 17 Apr 2009 21:20:07 +0000 +Subject: USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer + +From: Peter Korsgaard + +upstream commit: ae27d84351f1f3568118318a8c40ff3a154bd629 + +Signed-off-by: Peter Korsgaard +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio.h | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -662,6 +662,7 @@ static struct usb_device_id id_table_com + { USB_DEVICE(DE_VID, WHT_PID) }, + { USB_DEVICE(ADI_VID, ADI_GNICE_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio.h ++++ b/drivers/usb/serial/ftdi_sio.h +@@ -890,6 +890,13 @@ + #define ADI_GNICE_PID 0xF000 + + /* ++ * JETI SPECTROMETER SPECBOS 1201 ++ * http://www.jeti.com/products/sys/scb/scb1201.php ++ */ ++#define JETI_VID 0x0c6c ++#define JETI_SPC1201_PID 0x04b2 ++ ++/* + * BmRequestType: 1100 0000b + * bRequest: FTDI_E2_READ + * wValue: 0 diff --git a/queue-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch b/queue-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch new file mode 100644 index 00000000000..afa3e7a4cc9 --- /dev/null +++ b/queue-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch @@ -0,0 +1,29 @@ +From 4be149f9b684906505d49932fd18e1f17721b30f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Fri, 17 Apr 2009 21:20:06 +0000 +Subject: USB: fix oops in cdc-wdm in case of malformed descriptors + +From: Oliver Neukum + +upstream commit: e13c594f3a1fc2c78e7a20d1a07974f71e4b448f + +cdc-wdm needs to ignore extremely malformed descriptors. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -641,7 +641,7 @@ next_desc: + + iface = &intf->altsetting[0]; + ep = &iface->endpoint[0].desc; +- if (!usb_endpoint_is_int_in(ep)) { ++ if (!ep || !usb_endpoint_is_int_in(ep)) { + rv = -EINVAL; + goto err; + } diff --git a/queue-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch b/queue-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch new file mode 100644 index 00000000000..18bae24c353 --- /dev/null +++ b/queue-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch @@ -0,0 +1,40 @@ +From 35fe207a082d775b0bbaac3f49a9dc2d7c02779c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 17 Apr 2009 21:20:03 +0000 +Subject: USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab + +From: Alan Stern + +upstream commit: e4813eec8d47c8299d968bd5349dc881fa481c26 + +This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs +entry for the Simple Tech/Datafab controller. This fixes Bugzilla +#12882. + +Signed-off-by: Alan Stern +Reported-and-tested-by: binbin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/storage/unusual_devs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1241,12 +1241,14 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0x + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_FIX_INQUIRY ), + +-/* Reported by Rauch Wolke */ ++/* Reported by Rauch Wolke ++ * and augmented by binbin (Bugzilla #12882) ++ */ + UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff, + "Simple Tech/Datafab", + "CF+SM Reader", + US_SC_DEVICE, US_PR_DEVICE, NULL, +- US_FL_IGNORE_RESIDUE ), ++ US_FL_IGNORE_RESIDUE | US_FL_MAX_SECTORS_64 ), + + /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant + * to the USB storage specification in two ways: diff --git a/queue-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch b/queue-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch new file mode 100644 index 00000000000..481a22e0ae2 --- /dev/null +++ b/queue-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch @@ -0,0 +1,32 @@ +From 0702b646e5bdc16af64ef6f663e5275a02bf40cd Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Mon, 20 Apr 2009 10:08:35 +1000 +Subject: agp: zero pages before sending to userspace + +upstream commit: 59de2bebabc5027f93df999d59cc65df591c3e6e + +CVE-2009-1192 + +AGP pages might be mapped into userspace finally, so the pages should be +set to zero before userspace can use it. Otherwise there is potential +information leakage. + +Signed-off-by: Shaohua Li +Signed-off-by: Dave Airlie +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -1207,7 +1207,7 @@ void *agp_generic_alloc_page(struct agp_ + { + struct page * page; + +- page = alloc_page(GFP_KERNEL | GFP_DMA32); ++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO); + if (page == NULL) + return NULL; + diff --git a/queue-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch b/queue-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch new file mode 100644 index 00000000000..98e11d2ab8b --- /dev/null +++ b/queue-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch @@ -0,0 +1,53 @@ +From 5a9b5af39e948919f272867516faa61c093124f6 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Tue, 21 Apr 2009 21:20:04 +0000 +Subject: hugetlbfs: return negative error code for bad mount option + +From: Akinobu Mita + +upstream commit: c12ddba09394c60e1120e6997794fa6ed52da884 + +This fixes the following BUG: + + # mount -o size=MM -t hugetlbfs none /huge + hugetlbfs: Bad value 'MM' for mount option 'size=MM' + ------------[ cut here ]------------ + kernel BUG at fs/super.c:996! + +Due to + + BUG_ON(!mnt->mnt_sb); + +in vfs_kern_mount(). + +Also, remove unused #include + +Cc: William Irwin +Signed-off-by: Akinobu Mita +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -26,7 +26,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -838,7 +837,7 @@ hugetlbfs_parse_options(char *options, s + bad_val: + printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n", + args[0].from, p); +- return 1; ++ return -EINVAL; + } + + static int diff --git a/queue-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch b/queue-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch new file mode 100644 index 00000000000..3180d2474de --- /dev/null +++ b/queue-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch @@ -0,0 +1,87 @@ +From f02b8624fedca39886b0eef770dca70c2f0749b3 Mon Sep 17 00:00:00 2001 +From: Ananth N Mavinakayanahalli +Date: Wed, 18 Mar 2009 17:06:21 +0530 +Subject: kprobes: Fix locking imbalance in kretprobes + +From: Ananth N Mavinakayanahalli + +commit f02b8624fedca39886b0eef770dca70c2f0749b3 upstream. + +Fix locking imbalance in kretprobes: + +===================================== +[ BUG: bad unlock balance detected! ] +------------------------------------- +kthreadd/2 is trying to release lock (&rp->lock) at: +[] pre_handler_kretprobe+0xea/0xf4 +but there are no more locks to release! + +other info that might help us debug this: +1 lock held by kthreadd/2: + #0: (rcu_read_lock){..--}, at: [] __atomic_notifier_call_chain+0x0/0x5a + +stack backtrace: +Pid: 2, comm: kthreadd Not tainted 2.6.29-rc8 #1 +Call Trace: + [] ? printk+0xf/0x17 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] print_unlock_inbalance_bug+0xc3/0xce + [] ? clocksource_read+0x7/0xa + [] ? getnstimeofday+0x5f/0xf6 + [] ? register_lock_class+0x17/0x293 + [] ? mark_lock+0x1e/0x30b + [] ? tick_dev_program_event+0x4a/0xbc + [] ? __slab_alloc+0xa5/0x415 + [] ? pre_handler_kretprobe+0x28/0xf4 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] lock_release_non_nested+0xa4/0x1a5 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] lock_release+0x141/0x166 + [] _spin_unlock_irqrestore+0x19/0x50 + [] pre_handler_kretprobe+0xea/0xf4 + [] kprobe_exceptions_notify+0x1c9/0x43e + [] notifier_call_chain+0x26/0x48 + [] __atomic_notifier_call_chain+0x37/0x5a + [] ? __atomic_notifier_call_chain+0x0/0x5a + [] atomic_notifier_call_chain+0xc/0xe + [] notify_die+0x2d/0x2f + [] do_int3+0x1f/0x71 + [] int3+0x2c/0x34 + [] ? do_fork+0x1/0x288 + [] ? kernel_thread+0x71/0x79 + [] ? kthread+0x0/0x60 + [] ? kthread+0x0/0x60 + [] ? kernel_thread_helper+0x0/0x10 + [] kthreadd+0xac/0x148 + [] ? kthreadd+0x0/0x148 + [] kernel_thread_helper+0x7/0x10 + +Signed-off-by: Ananth N Mavinakayanahalli +Tested-by: Bharata B Rao +Cc: Masami Hiramatsu +Cc: Jim Keniston +Cc: Linus Torvalds +Cc: Andrew Morton +Cc: [2.6.29.x, 2.6.28.x, 2.6.27.x] +LKML-Reference: <20090318113621.GB4129@in.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -890,10 +890,8 @@ static int __kprobes pre_handler_kretpro + ri->rp = rp; + ri->task = current; + +- if (rp->entry_handler && rp->entry_handler(ri, regs)) { +- spin_unlock_irqrestore(&rp->lock, flags); ++ if (rp->entry_handler && rp->entry_handler(ri, regs)) + return 0; +- } + + arch_prepare_kretprobe(ri, regs); + diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 590503fefaa..f7330c71b6a 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -16,3 +16,26 @@ ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch net-fix-sctp-breakage.patch +0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch +0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch +0031-mm-do_xip_mapping_read-fix-length-calculation.patch +0034-vfs-skip-I_CLEAR-state-inodes.patch +0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch +0044-net-netrom-Fix-socket-locking.patch +0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch +0049-splice-fix-deadlock-in-splicing-to-file.patch +0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch +0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch +0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch +0060-sched-do-not-count-frozen-tasks-toward-load.patch +0063-add-some-long-missing-capabilities-to-fs_mask.patch +0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch +0069-hpt366-fix-HPT370-DMA-timeouts.patch +0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch +0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch +0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch +0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch +0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch +0093-agp-zero-pages-before-sending-to-userspace.patch +0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch +kprobes-fix-locking-imbalance-in-kretprobes.patch