From: Greg Kroah-Hartman Date: Wed, 27 May 2009 21:35:30 +0000 (-0700) Subject: more .29 patches X-Git-Tag: v2.6.27.25~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a895923a76153a1b79161686fad34889895af17;p=thirdparty%2Fkernel%2Fstable-queue.git more .29 patches --- diff --git a/queue-2.6.29/cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch b/queue-2.6.29/cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch new file mode 100644 index 00000000000..a1c30e523db --- /dev/null +++ b/queue-2.6.29/cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch @@ -0,0 +1,42 @@ +From 5078b2e32ad4b1f753b1c837c15892202f753c97 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Wed, 13 May 2009 17:04:42 -0400 +Subject: cfg80211: fix race between core hint and driver's custom apply + +From: Luis R. Rodriguez + +commit 5078b2e32ad4b1f753b1c837c15892202f753c97 upstream. + +Its possible for cfg80211 to have scheduled the work and for +the global workqueue to not have kicked in prior to a cfg80211 +driver's regulatory hint or wiphy_apply_custom_regulatory(). + +Although this is very unlikely its possible and should fix +this race. When this race would happen you are expected to have +hit a null pointer dereference panic. + +Signed-off-by: Luis R. Rodriguez +Tested-by: Alan Jenkins +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1497,6 +1497,13 @@ int regulatory_init(void) + "using static definition\n"); + #endif + ++ /* ++ * This ensures last_request is populated once modules ++ * come swinging in and calling regulatory hints and ++ * wiphy_apply_custom_regulatory(). ++ */ ++ flush_scheduled_work(); ++ + return 0; + } + diff --git a/queue-2.6.29/drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch b/queue-2.6.29/drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch new file mode 100644 index 00000000000..cbbe3acac6e --- /dev/null +++ b/queue-2.6.29/drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch @@ -0,0 +1,36 @@ +From 42beefc0093725ec0f8cea340cc54c36ccaceea0 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 6 May 2009 09:04:52 +1000 +Subject: drm/r128: fix r128 ioremaps to use ioremap_wc. + +From: Dave Airlie + +commit 42beefc0093725ec0f8cea340cc54c36ccaceea0 upstream. + +This should allow r128 to start working again since PAT changes. + +taken from F-11 kernel. + +Signed-off-by: Dave Airlie +Cc: Venkatesh Pallipadi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/r128/r128_cce.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/r128/r128_cce.c ++++ b/drivers/gpu/drm/r128/r128_cce.c +@@ -511,9 +511,9 @@ static int r128_do_init_cce(struct drm_d + + #if __OS_HAS_AGP + if (!dev_priv->is_pci) { +- drm_core_ioremap(dev_priv->cce_ring, dev); +- drm_core_ioremap(dev_priv->ring_rptr, dev); +- drm_core_ioremap(dev->agp_buffer_map, dev); ++ drm_core_ioremap_wc(dev_priv->cce_ring, dev); ++ drm_core_ioremap_wc(dev_priv->ring_rptr, dev); ++ drm_core_ioremap_wc(dev->agp_buffer_map, dev); + if (!dev_priv->cce_ring->handle || + !dev_priv->ring_rptr->handle || + !dev->agp_buffer_map->handle) { diff --git a/queue-2.6.29/fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch b/queue-2.6.29/fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch new file mode 100644 index 00000000000..52ebb3a3a64 --- /dev/null +++ b/queue-2.6.29/fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch @@ -0,0 +1,57 @@ +From 80193195f87ebca6d7417516d6edeb3969631c15 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 18 May 2009 13:07:35 +0100 +Subject: Fix oops on close of hot-unplugged FTDI serial converter + +From: David Woodhouse + +commit 80193195f87ebca6d7417516d6edeb3969631c15 upstream. + +Commit c45d6320 ("fix reference counting of ftdi_private") stopped +ftdi_sio_port_remove() from directly freeing the port-private data, with +the intention if the port was still open, it would be freed when +ftdi_close() is eventually called and releases the last refcount on the +structure. + +That's all very well, but ftdi_sio_port_remove() still contains a call +to usb_set_serial_port_data(port, NULL) -- so by the time we get to +ftdi_close() for the port which was unplugged, it _still_ oopses on +dereferencing that NULL pointer, as it did before (and does in 2.6.29). + +The fix is just not to clear the private data in ftdi_sio_port_remove(). +Then the refcount is properly reduced to zero when the final kref_put() +happens in ftdi_close(). + +Remove a bogus comment too, while we're at it. And stop doing things +inside "if (priv)" -- it must _always_ be there. + +Based loosely on an earlier patch by Daniel Mack, and suggestions by +Alan Stern. + +Signed-off-by: David Woodhouse +Tested-by: Daniel Mack +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1485,14 +1485,7 @@ static int ftdi_sio_port_remove(struct u + + remove_sysfs_attrs(port); + +- /* all open ports are closed at this point +- * (by usbserial.c:__serial_close, which calls ftdi_close) +- */ +- +- if (priv) { +- usb_set_serial_port_data(port, NULL); +- kref_put(&priv->kref, ftdi_sio_priv_release); +- } ++ kref_put(&priv->kref, ftdi_sio_priv_release); + + return 0; + } diff --git a/queue-2.6.29/futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch b/queue-2.6.29/futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch new file mode 100644 index 00000000000..61e55d4ad27 --- /dev/null +++ b/queue-2.6.29/futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch @@ -0,0 +1,134 @@ +From 64d1304a64477629cb16b75491a77bafe6f86963 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 18 May 2009 21:20:10 +0200 +Subject: futex: setup writeable mapping for futex ops which modify user space data + +From: Thomas Gleixner + +commit 64d1304a64477629cb16b75491a77bafe6f86963 upstream. + +The futex code installs a read only mapping via get_user_pages_fast() +even if the futex op function has to modify user space data. The +eventual fault was fixed up by futex_handle_fault() which walked the +VMA with mmap_sem held. + +After the cleanup patches which removed the mmap_sem dependency of the +futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex: +clean up fault logic) removed the private VMA walk logic from the +futex code. This change results in a stale RO mapping which is not +fixed up. + +Instead of reintroducing the previous fault logic we set up the +mapping in get_user_pages_fast() read/write for all operations which +modify user space data. Also handle private futexes in the same way +and make the current unconditional access_ok(VERIFY_WRITE) depend on +the futex op. + +Reported-by: Andreas Schwab +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -192,6 +192,7 @@ static void drop_futex_key_refs(union fu + * @shared: NULL for a PROCESS_PRIVATE futex, + * ¤t->mm->mmap_sem for a PROCESS_SHARED futex + * @key: address where result is stored. ++ * @rw: mapping needs to be read/write (values: VERIFY_READ, VERIFY_WRITE) + * + * Returns a negative error code or 0 + * The key words are stored in *key on success. +@@ -204,7 +205,8 @@ static void drop_futex_key_refs(union fu + * For other futexes, it points to ¤t->mm->mmap_sem and + * caller must have taken the reader lock. but NOT any spinlocks. + */ +-static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key) ++static int ++get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) + { + unsigned long address = (unsigned long)uaddr; + struct mm_struct *mm = current->mm; +@@ -227,7 +229,7 @@ static int get_futex_key(u32 __user *uad + * but access_ok() should be faster than find_vma() + */ + if (!fshared) { +- if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))) ++ if (unlikely(!access_ok(rw, uaddr, sizeof(u32)))) + return -EFAULT; + key->private.mm = mm; + key->private.address = address; +@@ -236,7 +238,7 @@ static int get_futex_key(u32 __user *uad + } + + again: +- err = get_user_pages_fast(address, 1, 0, &page); ++ err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page); + if (err < 0) + return err; + +@@ -707,7 +709,7 @@ static int futex_wake(u32 __user *uaddr, + if (!bitset) + return -EINVAL; + +- ret = get_futex_key(uaddr, fshared, &key); ++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; + +@@ -753,10 +755,10 @@ futex_wake_op(u32 __user *uaddr1, int fs + int ret, op_ret, attempt = 0; + + retryfull: +- ret = get_futex_key(uaddr1, fshared, &key1); ++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; +- ret = get_futex_key(uaddr2, fshared, &key2); ++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out_put_key1; + +@@ -859,10 +861,10 @@ static int futex_requeue(u32 __user *uad + int ret, drop_count = 0; + + retry: +- ret = get_futex_key(uaddr1, fshared, &key1); ++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; +- ret = get_futex_key(uaddr2, fshared, &key2); ++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out_put_key1; + +@@ -1181,7 +1183,7 @@ static int futex_wait(u32 __user *uaddr, + q.bitset = bitset; + retry: + q.key = FUTEX_KEY_INIT; +- ret = get_futex_key(uaddr, fshared, &q.key); ++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_READ); + if (unlikely(ret != 0)) + goto out; + +@@ -1370,7 +1372,7 @@ static int futex_lock_pi(u32 __user *uad + q.pi_state = NULL; + retry: + q.key = FUTEX_KEY_INIT; +- ret = get_futex_key(uaddr, fshared, &q.key); ++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out; + +@@ -1630,7 +1632,7 @@ retry: + if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current)) + return -EPERM; + +- ret = get_futex_key(uaddr, fshared, &key); ++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE); + if (unlikely(ret != 0)) + goto out; + diff --git a/queue-2.6.29/icom-fix-rmmod-crash.patch b/queue-2.6.29/icom-fix-rmmod-crash.patch new file mode 100644 index 00000000000..d2e3617fa5e --- /dev/null +++ b/queue-2.6.29/icom-fix-rmmod-crash.patch @@ -0,0 +1,53 @@ +From 95caa0a9bdaf93607bd0cc8932f53112496f2f22 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 22 May 2009 21:30:39 -0300 +Subject: icom: fix rmmod crash + +From: Breno Leitao + +commit 95caa0a9bdaf93607bd0cc8932f53112496f2f22 upstream. + +Actually the icom driver is crashing when is being removed because +the driver is kfreeing the adapter structure before calling +pci_release_regions(), which result in the following error: + + Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6d33 + Faulting instruction address: 0xc000000000246b80 + Oops: Kernel access of bad area, sig: 11 [#1] + .... + [c000000012d436a0] [c0000000001002d0] .kfree+0x120/0x34c (unreliable) + [c000000012d43730] [c000000000246d60] .pci_release_selected_regions+0x3c/0x68 + [c000000012d437c0] [d000000002d54700] .icom_kref_release+0xf4/0x118 [icom] + [c000000012d43850] [c000000000232e50] .kref_put+0x74/0x94 + [c000000012d438d0] [d000000002d56c58] .icom_remove+0x40/0xa4 [icom] + [c000000012d43960] [c000000000249e48] .pci_device_remove+0x50/0x90 + [c000000012d439e0] [c0000000002d68d8] .__device_release_driver+0x94/0xd4 + [c000000012d43a70] [c0000000002d7104] .driver_detach+0xf8/0x12c + [c000000012d43b00] [c0000000002d549c] .bus_remove_driver+0xbc/0x11c + [c000000012d43b90] [c0000000002d71dc] .driver_unregister+0x60/0x80 + [c000000012d43c20] [c00000000024a07c] .pci_unregister_driver+0x44/0xe8 + [c000000012d43cb0] [d000000002d56bf4] .icom_exit+0x1c/0x40 [icom] + [c000000012d43d30] [c000000000095fa8] .SyS_delete_module+0x214/0x2a8 + [c000000012d43e30] [c00000000000852c] syscall_exit+0x0/0x40 + +Signed-off-by: Breno Leitao +Cc: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/icom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/icom.c ++++ b/drivers/serial/icom.c +@@ -1482,8 +1482,8 @@ static void icom_remove_adapter(struct i + + free_irq(icom_adapter->pci_dev->irq, (void *) icom_adapter); + iounmap(icom_adapter->base_addr); +- icom_free_adapter(icom_adapter); + pci_release_regions(icom_adapter->pci_dev); ++ icom_free_adapter(icom_adapter); + } + + static void icom_kref_release(struct kref *kref) diff --git a/queue-2.6.29/kvm-fix-pdptr-reloading-on-cr4-writes.patch b/queue-2.6.29/kvm-fix-pdptr-reloading-on-cr4-writes.patch new file mode 100644 index 00000000000..a6a42bf7b86 --- /dev/null +++ b/queue-2.6.29/kvm-fix-pdptr-reloading-on-cr4-writes.patch @@ -0,0 +1,49 @@ +From a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Sun, 24 May 2009 22:19:00 +0300 +Subject: KVM: Fix PDPTR reloading on CR4 writes + +From: Avi Kivity + +commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 upstream. + +The processor is documented to reload the PDPTRs while in PAE mode if any +of the CR4 bits PSE, PGE, or PAE change. Linux relies on this +behaviour when zapping the low mappings of PAE kernels during boot. + +The code already handled changes to CR4.PAE; augment it to also notice changes +to PSE and PGE. + +This triggered while booting an F11 PAE kernel; the futex initialization code +runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem +ended up uninitialized, killing PI futexes and pulseaudio which uses them. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -334,6 +334,9 @@ EXPORT_SYMBOL_GPL(kvm_lmsw); + + void kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { ++ unsigned long old_cr4 = vcpu->arch.cr4; ++ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE; ++ + if (cr4 & CR4_RESERVED_BITS) { + printk(KERN_DEBUG "set_cr4: #GP, reserved bits\n"); + kvm_inject_gp(vcpu, 0); +@@ -347,7 +350,8 @@ void kvm_set_cr4(struct kvm_vcpu *vcpu, + kvm_inject_gp(vcpu, 0); + return; + } +- } else if (is_paging(vcpu) && !is_pae(vcpu) && (cr4 & X86_CR4_PAE) ++ } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) ++ && ((cr4 ^ old_cr4) & pdptr_bits) + && !load_pdptrs(vcpu, vcpu->arch.cr3)) { + printk(KERN_DEBUG "set_cr4: #GP, pdptrs reserved bits\n"); + kvm_inject_gp(vcpu, 0); diff --git a/queue-2.6.29/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch b/queue-2.6.29/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch new file mode 100644 index 00000000000..c55cc888444 --- /dev/null +++ b/queue-2.6.29/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch @@ -0,0 +1,33 @@ +From a8cd0244e9cebcf9b358d24c7e7410062f3665cb Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Sun, 24 May 2009 22:15:25 +0300 +Subject: KVM: Make paravirt tlb flush also reload the PAE PDPTRs + +From: Avi Kivity + +commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb upstream. + +The paravirt tlb flush may be used not only to flush TLBs, but also +to reload the four page-directory-pointer-table entries, as it is used +as a replacement for reloading CR3. Change the code to do the entire +CR3 reloading dance instead of simply flushing the TLB. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2906,8 +2906,7 @@ static int kvm_pv_mmu_write(struct kvm_v + + static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu) + { +- kvm_x86_ops->tlb_flush(vcpu); +- set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests); ++ kvm_set_cr3(vcpu, vcpu->arch.cr3); + return 1; + } + diff --git a/queue-2.6.29/mm-slub-fix-reclaim_state.patch b/queue-2.6.29/mm-slub-fix-reclaim_state.patch new file mode 100644 index 00000000000..0609471dee8 --- /dev/null +++ b/queue-2.6.29/mm-slub-fix-reclaim_state.patch @@ -0,0 +1,42 @@ +From 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f Mon Sep 17 00:00:00 2001 +From: Nick Piggin +Date: Tue, 5 May 2009 19:13:44 +1000 +Subject: mm: SLUB fix reclaim_state + +From: Nick Piggin + +commit 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f upstream. + +SLUB does not correctly account reclaim_state.reclaimed_slab, so it will +break memory reclaim. Account it like SLAB does. + +Cc: linux-mm@kvack.org +Cc: Matt Mackall +Acked-by: Christoph Lameter +Signed-off-by: Nick Piggin +Signed-off-by: Pekka Enberg +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include /* struct reclaim_state */ + #include + #include + #include +@@ -1175,6 +1176,8 @@ static void __free_slab(struct kmem_cach + + __ClearPageSlab(page); + reset_page_mapcount(page); ++ if (current->reclaim_state) ++ current->reclaim_state->reclaimed_slab += pages; + __free_pages(page, order); + } + diff --git a/queue-2.6.29/nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch b/queue-2.6.29/nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch new file mode 100644 index 00000000000..8354d4d7604 --- /dev/null +++ b/queue-2.6.29/nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch @@ -0,0 +1,42 @@ +From 7ee2cb7f32b299c2b06a31fde155457203e4b7dd Mon Sep 17 00:00:00 2001 +From: Frank Filz +Date: Mon, 18 May 2009 17:41:40 -0400 +Subject: nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission. + +From: Frank Filz + +commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd upstream. + +The problem is that permission checking is skipped if atomic open is +possible, but when exec opens a file, it just opens it O_READONLY which +means EXEC permission will not be checked at that time. + +This problem is observed by the following sequence (executed as root): + + mount -t nfs4 server:/ /mnt4 + echo "ls" >/mnt4/foo + chmod 744 /mnt4/foo + su guest -c "mnt4/foo" + +Signed-off-by: Frank Filz +Signed-off-by: Trond Myklebust +Tested-by: Eugene Teo +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1943,7 +1943,8 @@ int nfs_permission(struct inode *inode, + case S_IFREG: + /* NFSv4 has atomic_open... */ + if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN) +- && (mask & MAY_OPEN)) ++ && (mask & MAY_OPEN) ++ && !(mask & MAY_EXEC)) + goto out; + break; + case S_IFDIR: diff --git a/queue-2.6.29/series b/queue-2.6.29/series index 0498561d26c..d7b6fd3d530 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -15,3 +15,15 @@ bonding-remove-debug-printk.patch r8169-avoid-losing-msi-interrupts.patch sparc-fix-bus-type-probing-for-esp-and-le-devices.patch sparc64-fix-smp_callin-locking.patch +mm-slub-fix-reclaim_state.patch +fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch +wimax-fix-oops-if-netlink-fails-to-add-attribute.patch +nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch +futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch +xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch +tpm-get_event_name-stack-corruption.patch +icom-fix-rmmod-crash.patch +kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch +kvm-fix-pdptr-reloading-on-cr4-writes.patch +cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch +drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch diff --git a/queue-2.6.29/tpm-get_event_name-stack-corruption.patch b/queue-2.6.29/tpm-get_event_name-stack-corruption.patch new file mode 100644 index 00000000000..2008708aa69 --- /dev/null +++ b/queue-2.6.29/tpm-get_event_name-stack-corruption.patch @@ -0,0 +1,36 @@ +From fbaa58696cef848de818768783ef185bd3f05158 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Wed, 13 May 2009 12:50:40 -0400 +Subject: TPM: get_event_name stack corruption + +From: Eric Paris + +commit fbaa58696cef848de818768783ef185bd3f05158 upstream. + +get_event_name uses sprintf to fill a buffer declared on the stack. It fills +the buffer 2 bytes at a time. What the code doesn't take into account is that +sprintf(buf, "%02x", data) actually writes 3 bytes. 2 bytes for the data and +then it nul terminates the string. Since we declare buf to be 40 characters +long and then we write 40 bytes of data into buf sprintf is going to write 41 +characters. The fix is to leave room in buf for the nul terminator. + +Signed-off-by: Eric Paris +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_bios.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_bios.c ++++ b/drivers/char/tpm/tpm_bios.c +@@ -212,7 +212,8 @@ static int get_event_name(char *dest, st + unsigned char * event_entry) + { + const char *name = ""; +- char data[40] = ""; ++ /* 41 so there is room for 40 data and 1 nul */ ++ char data[41] = ""; + int i, n_len = 0, d_len = 0; + struct tcpa_pc_event *pc_event; + diff --git a/queue-2.6.29/wimax-fix-oops-if-netlink-fails-to-add-attribute.patch b/queue-2.6.29/wimax-fix-oops-if-netlink-fails-to-add-attribute.patch new file mode 100644 index 00000000000..0ec1a114b84 --- /dev/null +++ b/queue-2.6.29/wimax-fix-oops-if-netlink-fails-to-add-attribute.patch @@ -0,0 +1,48 @@ +From d1a2627a29667fe7c4a9d06e1579a2d65bd39bba Mon Sep 17 00:00:00 2001 +From: Inaky Perez-Gonzalez +Date: Mon, 30 Mar 2009 17:50:17 -0700 +Subject: wimax: fix oops if netlink fails to add attribute + +From: Inaky Perez-Gonzalez + +commit d1a2627a29667fe7c4a9d06e1579a2d65bd39bba upstream. + +When sending a message to user space using wimax_msg(), if nla_put() +fails, correctly interpret the return code from wimax_msg_alloc() as +an err ptr and return the error code instead of crashing (as it is +assuming than non-NULL means the pointer is ok). + +Signed-off-by: Inaky Perez-Gonzalez +Signed-off-by: Greg Kroah-Hartman + +--- + net/wimax/op-msg.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/wimax/op-msg.c ++++ b/net/wimax/op-msg.c +@@ -149,7 +149,8 @@ struct sk_buff *wimax_msg_alloc(struct w + } + result = nla_put(skb, WIMAX_GNL_MSG_DATA, size, msg); + if (result < 0) { +- dev_err(dev, "no memory to add payload in attribute\n"); ++ dev_err(dev, "no memory to add payload (msg %p size %zu) in " ++ "attribute: %d\n", msg, size, result); + goto error_nla_put; + } + genlmsg_end(skb, genl_msg); +@@ -302,10 +303,10 @@ int wimax_msg(struct wimax_dev *wimax_de + struct sk_buff *skb; + + skb = wimax_msg_alloc(wimax_dev, pipe_name, buf, size, gfp_flags); +- if (skb == NULL) +- goto error_msg_new; +- result = wimax_msg_send(wimax_dev, skb); +-error_msg_new: ++ if (IS_ERR(skb)) ++ result = PTR_ERR(skb); ++ else ++ result = wimax_msg_send(wimax_dev, skb); + return result; + } + EXPORT_SYMBOL_GPL(wimax_msg); diff --git a/queue-2.6.29/xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch b/queue-2.6.29/xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch new file mode 100644 index 00000000000..0c19640a0eb --- /dev/null +++ b/queue-2.6.29/xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch @@ -0,0 +1,39 @@ +From 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Tue, 19 May 2009 08:25:48 +0200 +Subject: xen/blkfront: allow xenbus state transition to Closing->Closed when not Connected + +From: Ian Campbell + +commit 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 upstream. + +This situation can occur when attempting to attach a block device whose +backend is an empty physical CD-ROM driver. The backend in this case +will go directly from the Initialising state to Closing->Closed. +Previously this would result in a NULL pointer deref on info->gd +(xenbus_dev_fatal does not return as a1a15ac5 seems to expect) + +Signed-off-by: Ian Campbell +Acked-by: Jeremy Fitzhardinge +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -977,8 +977,10 @@ static void backend_changed(struct xenbu + break; + + case XenbusStateClosing: +- if (info->gd == NULL) +- xenbus_dev_fatal(dev, -ENODEV, "gd is NULL"); ++ if (info->gd == NULL) { ++ xenbus_frontend_closed(dev); ++ break; ++ } + bd = bdget_disk(info->gd, 0); + if (bd == NULL) + xenbus_dev_fatal(dev, -ENODEV, "bdget failed");