From: Greg Kroah-Hartman Date: Mon, 19 Mar 2007 21:42:06 +0000 (-0700) Subject: started 2.6.20.4 review cycle X-Git-Tag: v2.6.20.4~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fa90ea99051cb326220a5fb7f3768ceedb3dd4d;p=thirdparty%2Fkernel%2Fstable-queue.git started 2.6.20.4 review cycle --- diff --git a/queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch b/review-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch similarity index 97% rename from queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch rename to review-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch index 6413df989e2..0acff59d9af 100644 --- a/queue-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch +++ b/review-2.6.20/SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch @@ -16,7 +16,7 @@ The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain -Acked-by: "Leubner, Achim" +Acked-by: "Achim Leubner" Signed-off-by: Andrew Morton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman diff --git a/queue-2.6.20/adjust-legacy-ide-resource-setting.patch b/review-2.6.20/adjust-legacy-ide-resource-setting.patch similarity index 100% rename from queue-2.6.20/adjust-legacy-ide-resource-setting.patch rename to review-2.6.20/adjust-legacy-ide-resource-setting.patch diff --git a/queue-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch b/review-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch similarity index 100% rename from queue-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch rename to review-2.6.20/copy-over-mac_len-when-cloning-an-skb.patch diff --git a/queue-2.6.20/dio-invalidate-clean-pages-before-dio-write.patch b/review-2.6.20/dio-invalidate-clean-pages-before-dio-write.patch similarity index 100% rename from queue-2.6.20/dio-invalidate-clean-pages-before-dio-write.patch rename to review-2.6.20/dio-invalidate-clean-pages-before-dio-write.patch diff --git a/queue-2.6.20/ehci-add-delay-to-bus_resume-before-accessing-ports.patch b/review-2.6.20/ehci-add-delay-to-bus_resume-before-accessing-ports.patch similarity index 100% rename from queue-2.6.20/ehci-add-delay-to-bus_resume-before-accessing-ports.patch rename to review-2.6.20/ehci-add-delay-to-bus_resume-before-accessing-ports.patch diff --git a/queue-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch b/review-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch similarity index 100% rename from queue-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch rename to review-2.6.20/fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch diff --git a/queue-2.6.20/fix-deadlock-in-audit_log_task_context.patch b/review-2.6.20/fix-deadlock-in-audit_log_task_context.patch similarity index 100% rename from queue-2.6.20/fix-deadlock-in-audit_log_task_context.patch rename to review-2.6.20/fix-deadlock-in-audit_log_task_context.patch diff --git a/queue-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch b/review-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch similarity index 100% rename from queue-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch rename to review-2.6.20/fix-extraneous-ipsec-larval-sa-creation.patch diff --git a/queue-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch b/review-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch similarity index 100% rename from queue-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch rename to review-2.6.20/fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch diff --git a/queue-2.6.20/fix-ipv6-flow-label-inheritance.patch b/review-2.6.20/fix-ipv6-flow-label-inheritance.patch similarity index 100% rename from queue-2.6.20/fix-ipv6-flow-label-inheritance.patch rename to review-2.6.20/fix-ipv6-flow-label-inheritance.patch diff --git a/queue-2.6.20/fix-mtime_sec_max-on-32-bit.patch b/review-2.6.20/fix-mtime_sec_max-on-32-bit.patch similarity index 100% rename from queue-2.6.20/fix-mtime_sec_max-on-32-bit.patch rename to review-2.6.20/fix-mtime_sec_max-on-32-bit.patch diff --git a/queue-2.6.20/fix-page-allocation-debugging-on-sparc64.patch b/review-2.6.20/fix-page-allocation-debugging-on-sparc64.patch similarity index 100% rename from queue-2.6.20/fix-page-allocation-debugging-on-sparc64.patch rename to review-2.6.20/fix-page-allocation-debugging-on-sparc64.patch diff --git a/queue-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch b/review-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch similarity index 100% rename from queue-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch rename to review-2.6.20/fix-read-past-end-of-array-in-md-linear.c.patch diff --git a/queue-2.6.20/fix-rtm_to_ifaddr-error-return.patch b/review-2.6.20/fix-rtm_to_ifaddr-error-return.patch similarity index 100% rename from queue-2.6.20/fix-rtm_to_ifaddr-error-return.patch rename to review-2.6.20/fix-rtm_to_ifaddr-error-return.patch diff --git a/queue-2.6.20/fix-sparc64-hugepage-bugs.patch b/review-2.6.20/fix-sparc64-hugepage-bugs.patch similarity index 100% rename from queue-2.6.20/fix-sparc64-hugepage-bugs.patch rename to review-2.6.20/fix-sparc64-hugepage-bugs.patch diff --git a/queue-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch b/review-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch similarity index 100% rename from queue-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch rename to review-2.6.20/fix-user-copy-length-in-ipv6_sockglue.c.patch diff --git a/queue-2.6.20/futex-pi-state-locking-fix.patch b/review-2.6.20/futex-pi-state-locking-fix.patch similarity index 100% rename from queue-2.6.20/futex-pi-state-locking-fix.patch rename to review-2.6.20/futex-pi-state-locking-fix.patch diff --git a/queue-2.6.20/hda-intel-fix-codec-probe-with-ati-controllers.patch b/review-2.6.20/hda-intel-fix-codec-probe-with-ati-controllers.patch similarity index 100% rename from queue-2.6.20/hda-intel-fix-codec-probe-with-ati-controllers.patch rename to review-2.6.20/hda-intel-fix-codec-probe-with-ati-controllers.patch diff --git a/queue-2.6.20/hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch b/review-2.6.20/hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch similarity index 100% rename from queue-2.6.20/hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch rename to review-2.6.20/hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch diff --git a/queue-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch b/review-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch similarity index 100% rename from queue-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch rename to review-2.6.20/ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch diff --git a/queue-2.6.20/initialise-pi_lock-if-config_rt_mutexes-n.patch b/review-2.6.20/initialise-pi_lock-if-config_rt_mutexes-n.patch similarity index 100% rename from queue-2.6.20/initialise-pi_lock-if-config_rt_mutexes-n.patch rename to review-2.6.20/initialise-pi_lock-if-config_rt_mutexes-n.patch diff --git a/queue-2.6.20/input-i8042-fix-aux-irq-delivery-check.patch b/review-2.6.20/input-i8042-fix-aux-irq-delivery-check.patch similarity index 100% rename from queue-2.6.20/input-i8042-fix-aux-irq-delivery-check.patch rename to review-2.6.20/input-i8042-fix-aux-irq-delivery-check.patch diff --git a/queue-2.6.20/input-i8042-really-suppress-ack-nak-during-panic-blink.patch b/review-2.6.20/input-i8042-really-suppress-ack-nak-during-panic-blink.patch similarity index 100% rename from queue-2.6.20/input-i8042-really-suppress-ack-nak-during-panic-blink.patch rename to review-2.6.20/input-i8042-really-suppress-ack-nak-during-panic-blink.patch diff --git a/queue-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch b/review-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch similarity index 100% rename from queue-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch rename to review-2.6.20/irda-irttp_dup-spin_lock-initialisation.patch diff --git a/review-2.6.20/mbox b/review-2.6.20/mbox new file mode 100644 index 00000000000..96166a2f04d --- /dev/null +++ b/review-2.6.20/mbox @@ -0,0 +1,2748 @@ +From gregkh@mini.kroah.org Mon Mar 19 14:33:46 2007 +Message-Id: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/31] 2.6.20-stable review +Content-Length: 734 +Lines: 17 + +This is the start of the stable review cycle for the 2.6.20.4 release. +There are 31 patches in this series, all will be posted as a response +to this one. If anyone has any issues with these being applied, please +let us know. If anyone is a maintainer of the proper subsystem, and +wants to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the +Cc: line. If you wish to be a reviewer, please email stable@kernel.org +to add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Thursday March, 22, 15:00:00 UTC. +Anything received after that time might be too late. + +thanks, + +the -stable release team + +From gregkh@mini.kroah.org Mon Mar 19 14:33:46 2007 +Message-Id: <20070319213346.871920386@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Olaf Kirch , + "David S. Miller" +Subject: [patch 01/31] Fix another NULL pointer deref in ipv6_sockglue.c +Content-Disposition: inline; filename=fix-another-null-pointer-deref-in-ipv6_sockglue.c.patch +Content-Length: 886 +Lines: 31 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Olaf Kirch + +[IPV6]: Fix for ipv6_setsockopt NULL dereference + +I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 + +Signed-off-by: Olaf Kirch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -414,7 +414,7 @@ static int do_ipv6_setsockopt(struct soc + } + + /* routing header option needs extra check */ +- if (optname == IPV6_RTHDR && opt->srcrt) { ++ if (optname == IPV6_RTHDR && opt && opt->srcrt) { + struct ipv6_rt_hdr *rthdr = opt->srcrt; + switch (rthdr->type) { + case IPV6_SRCRT_TYPE_0: + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.054127446@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Evgeniy Polyakov , + "David S. Miller" +Subject: [patch 02/31] Fix rtm_to_ifaddr() error return. +Content-Disposition: inline; filename=fix-rtm_to_ifaddr-error-return.patch +Content-Length: 891 +Lines: 36 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Evgeniy Polyakov + +[IPV4]: Fix rtm_to_ifaddr() error handling. + +Return negative error value (embedded in the pointer) instead of +returning NULL. + +Signed-off-by: Evgeniy Polyakov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/devinet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -503,8 +503,10 @@ static struct in_ifaddr *rtm_to_ifaddr(s + goto errout; + + ifm = nlmsg_data(nlh); +- if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) ++ if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) { ++ err = -EINVAL; + goto errout; ++ } + + dev = __dev_get_by_index(ifm->ifa_index); + if (dev == NULL) { + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.131733489@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Chris Wright , + "David S. Miller" +Subject: [patch 03/31] Fix user copy length in ipv6_sockglue.c +Content-Disposition: inline; filename=fix-user-copy-length-in-ipv6_sockglue.c.patch +Content-Length: 861 +Lines: 32 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Chris Wright + +[IPV6] fix ipv6_getsockopt_sticky copy_to_user leak + +User supplied len < 0 can cause leak of kernel memory. +Use unsigned compare instead. + +Signed-off-by: Chris Wright +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ipv6_sockglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -805,7 +805,7 @@ static int ipv6_getsockopt_sticky(struct + return 0; + hdr = opt->hopopt; + +- len = min_t(int, len, ipv6_optlen(hdr)); ++ len = min_t(unsigned int, len, ipv6_optlen(hdr)); + if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) + return -EFAULT; + return len; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.263421674@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Joerg Dorchain , + "Achim Leubner" , + James Bottomley +Subject: [patch 04/31] gdth: fix oops in gdth_copy_cmd() +Content-Disposition: inline; filename=SCSI-gdth-fix-oops-in-gdth_copy_cmd.patch +Content-Length: 1780 +Lines: 46 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Recent alterations to the gdth_fill_raw_cmd() path no longer set the +sg_ranz field for zero transfer commands. However, this field is used +lower down in the function to initialise ha->cmd_len to the size of +the firmware packet. If this uninitialised field contains a bogus +value, ha->cmd_len can become much larger than the actual firmware +packet and end up oopsing in gdth_copy_cmd() as it tries to copy this +huge packet to the device (usually because it runs into an unallocated +page). + +The fix is to initialise the sg_ranz field to zero at the start of +gdth_fill_raw_cmd(). + +Signed-off-by: Joerg Dorchain +Acked-by: "Achim Leubner" +Signed-off-by: Andrew Morton +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/gdth.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/gdth.c ++++ b/drivers/scsi/gdth.c +@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,S + cmdp->u.raw64.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); ++ cmdp->u.raw64.sg_ranz = 0; + } else { + cmdp->u.raw.reserved = 0; + cmdp->u.raw.mdisc_time = 0; +@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,S + cmdp->u.raw.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw.cmd,scp->cmnd,12); ++ cmdp->u.raw.sg_ranz = 0; + } + + if (scp->use_sg) { + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.394196553@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Paul Moore , + James Morris , + "David S. Miller" +Subject: [patch 05/31] NetLabel: Verify sensitivity level has a valid CIPSO mapping +Content-Disposition: inline; filename=netlabel-cipso_std_bug +Content-Length: 1596 +Lines: 50 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +The current CIPSO engine has a problem where it does not verify that the given +sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is +used. The end result is that bad packets are sent on the wire which should +have never been sent in the first place. This patch corrects this problem by +verifying the sensitivity level mapping similar to what is done with the +category mapping. This patch also changes the returned error code in this case +to -EPERM to better match what the category mapping verification code returns. + +Signed-off-by: Paul Moore +Acked-by: James Morris +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/cipso_ipv4.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s + *net_lvl = host_lvl; + return 0; + case CIPSO_V4_MAP_STD: +- if (host_lvl < doi_def->map.std->lvl.local_size) { ++ if (host_lvl < doi_def->map.std->lvl.local_size && ++ doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) { + *net_lvl = doi_def->map.std->lvl.local[host_lvl]; + return 0; + } +- break; ++ return -EPERM; + } + + return -EINVAL; +@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s + *host_lvl = doi_def->map.std->lvl.cipso[net_lvl]; + return 0; + } +- break; ++ return -EPERM; + } + + return -EINVAL; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.527381681@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michal Miroslaw , + Patrick McHardy +Subject: [patch 06/31] NETFILTER: nfnetlink_log: fix reference counting +Content-Disposition: inline; filename=netfilter-nfnetlink_log-fix-reference-counting.patch +Content-Length: 1356 +Lines: 47 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Michal Miroslaw + +[NETFILTER]: nfnetlink_log: fix reference counting + +Fix reference counting (memory leak) problem in __nfulnl_send() and callers +related to packet queueing. + +Signed-off-by: Michal Miroslaw +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -218,10 +218,8 @@ _instance_destroy2(struct nfulnl_instanc + spin_lock_bh(&inst->lock); + if (inst->skb) { + /* timer "holds" one reference (we have one more) */ +- if (timer_pending(&inst->timer)) { +- del_timer(&inst->timer); ++ if (del_timer(&inst->timer)) + instance_put(inst); +- } + if (inst->qlen) + __nfulnl_send(inst); + if (inst->skb) { +@@ -695,10 +693,8 @@ nfulnl_log_packet(unsigned int pf, + UDEBUG("flushing old skb\n"); + + /* timer "holds" one reference (we have another one) */ +- if (timer_pending(&inst->timer)) { +- del_timer(&inst->timer); ++ if (del_timer(&inst->timer)) + instance_put(inst); +- } + __nfulnl_send(inst); + + if (!(inst->skb = nfulnl_alloc_skb(nlbufsiz, size))) { + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.680809058@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + KAMEZAWA Hiroyuki , + Tony Luck +Subject: [patch 07/31] IA64: fix NULL pointer in ia64/irq_chip-mask/unmask function +Content-Disposition: inline; filename=ia64-fix-null-pointer-in-ia64-irq_chip-mask-unmask-function.patch +Content-Length: 2912 +Lines: 96 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: KAMEZAWA Hiroyuki + +[IA64] fix NULL pointer in ia64/irq_chip-mask/unmask function + +This patch fixes boot failure because irq_desc->mask() is NULL. + +- Added mask/unmask functions to ia64's irq desc function table. +- rename hw_interrupt_type to irq_chip. hw_interrupt_type is old name. +- Tony: Added same change to arch/ia64/sn/kernel/irq.c as pointed out + by Eric Biederman ... mask/unmask functions there can be no-op. + +Signed-off-by: KAMEZAWA Hiroyuki +Signed-off-by: Andrew Morton +Signed-off-by: Tony Luck +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/ia64/kernel/iosapic.c | 8 ++++++-- + arch/ia64/sn/kernel/irq.c | 14 +++++++++++++- + 2 files changed, 19 insertions(+), 3 deletions(-) + +--- a/arch/ia64/kernel/iosapic.c ++++ b/arch/ia64/kernel/iosapic.c +@@ -446,7 +446,7 @@ iosapic_end_level_irq (unsigned int irq) + #define iosapic_disable_level_irq mask_irq + #define iosapic_ack_level_irq nop + +-struct hw_interrupt_type irq_type_iosapic_level = { ++struct irq_chip irq_type_iosapic_level = { + .name = "IO-SAPIC-level", + .startup = iosapic_startup_level_irq, + .shutdown = iosapic_shutdown_level_irq, +@@ -454,6 +454,8 @@ struct hw_interrupt_type irq_type_iosapi + .disable = iosapic_disable_level_irq, + .ack = iosapic_ack_level_irq, + .end = iosapic_end_level_irq, ++ .mask = mask_irq, ++ .unmask = unmask_irq, + .set_affinity = iosapic_set_affinity + }; + +@@ -493,7 +495,7 @@ iosapic_ack_edge_irq (unsigned int irq) + #define iosapic_disable_edge_irq nop + #define iosapic_end_edge_irq nop + +-struct hw_interrupt_type irq_type_iosapic_edge = { ++struct irq_chip irq_type_iosapic_edge = { + .name = "IO-SAPIC-edge", + .startup = iosapic_startup_edge_irq, + .shutdown = iosapic_disable_edge_irq, +@@ -501,6 +503,8 @@ struct hw_interrupt_type irq_type_iosapi + .disable = iosapic_disable_edge_irq, + .ack = iosapic_ack_edge_irq, + .end = iosapic_end_edge_irq, ++ .mask = mask_irq, ++ .unmask = unmask_irq, + .set_affinity = iosapic_set_affinity + }; + +--- a/arch/ia64/sn/kernel/irq.c ++++ b/arch/ia64/sn/kernel/irq.c +@@ -205,7 +205,17 @@ static void sn_set_affinity_irq(unsigned + (void)sn_retarget_vector(sn_irq_info, nasid, slice); + } + +-struct hw_interrupt_type irq_type_sn = { ++static void ++sn_mask_irq(unsigned int irq) ++{ ++} ++ ++static void ++sn_unmask_irq(unsigned int irq) ++{ ++} ++ ++struct irq_chip irq_type_sn = { + .name = "SN hub", + .startup = sn_startup_irq, + .shutdown = sn_shutdown_irq, +@@ -213,6 +223,8 @@ struct hw_interrupt_type irq_type_sn = { + .disable = sn_disable_irq, + .ack = sn_ack_irq, + .end = sn_end_irq, ++ .mask = sn_mask_irq, ++ .unmask = sn_unmask_irq, + .set_affinity = sn_set_affinity_irq + }; + + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:47 2007 +Message-Id: <20070319213347.785405883@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jan Beulich , + Alan Cox , + Bartlomiej Zolnierkiewicz +Subject: [patch 08/31] adjust legacy IDE resource setting (v2) +Content-Disposition: inline; filename=adjust-legacy-ide-resource-setting.patch +Content-Length: 3355 +Lines: 90 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jan Beulich + +adjust legacy IDE resource setting (v2) + +The change to force legacy mode IDE channels' resources to fixed non-zero +values confuses (at least some versions of) X, because the values reported +by the kernel and those readable from PCI config space aren't consistent +anymore. Therefore, this patch arranges for the respective BARs to also +get updated if possible. + +Signed-off-by: Jan Beulich +Acked-by: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 45 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 32 insertions(+), 13 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -639,7 +639,34 @@ static void pci_read_irq(struct pci_dev + dev->irq = irq; + } + +-#define LEGACY_IO_RESOURCE (IORESOURCE_IO | IORESOURCE_PCI_FIXED) ++static void change_legacy_io_resource(struct pci_dev * dev, unsigned index, ++ unsigned start, unsigned end) ++{ ++ unsigned base = start & PCI_BASE_ADDRESS_IO_MASK; ++ unsigned len = (end | ~PCI_BASE_ADDRESS_IO_MASK) - base + 1; ++ ++ /* ++ * Some X versions get confused when the BARs reported through ++ * /sys or /proc differ from those seen in config space, thus ++ * try to update the config space values, too. ++ */ ++ if (!(pci_resource_flags(dev, index) & IORESOURCE_IO)) ++ printk(KERN_WARNING "%s: cannot adjust BAR%u (not I/O)\n", ++ pci_name(dev), index); ++ else if (pci_resource_len(dev, index) != len) ++ printk(KERN_WARNING "%s: cannot adjust BAR%u (size %04X)\n", ++ pci_name(dev), index, (unsigned)pci_resource_len(dev, index)); ++ else { ++ printk(KERN_INFO "%s: trying to change BAR%u from %04X to %04X\n", ++ pci_name(dev), index, ++ (unsigned)pci_resource_start(dev, index), base); ++ pci_write_config_dword(dev, PCI_BASE_ADDRESS_0 + index * 4, base); ++ } ++ pci_resource_start(dev, index) = start; ++ pci_resource_end(dev, index) = end; ++ pci_resource_flags(dev, index) = ++ IORESOURCE_IO | IORESOURCE_PCI_FIXED | PCI_BASE_ADDRESS_SPACE_IO; ++} + + /** + * pci_setup_device - fill in class and map information of a device +@@ -692,20 +719,12 @@ static int pci_setup_device(struct pci_d + u8 progif; + pci_read_config_byte(dev, PCI_CLASS_PROG, &progif); + if ((progif & 1) == 0) { +- dev->resource[0].start = 0x1F0; +- dev->resource[0].end = 0x1F7; +- dev->resource[0].flags = LEGACY_IO_RESOURCE; +- dev->resource[1].start = 0x3F6; +- dev->resource[1].end = 0x3F6; +- dev->resource[1].flags = LEGACY_IO_RESOURCE; ++ change_legacy_io_resource(dev, 0, 0x1F0, 0x1F7); ++ change_legacy_io_resource(dev, 1, 0x3F6, 0x3F6); + } + if ((progif & 4) == 0) { +- dev->resource[2].start = 0x170; +- dev->resource[2].end = 0x177; +- dev->resource[2].flags = LEGACY_IO_RESOURCE; +- dev->resource[3].start = 0x376; +- dev->resource[3].end = 0x376; +- dev->resource[3].flags = LEGACY_IO_RESOURCE; ++ change_legacy_io_resource(dev, 2, 0x170, 0x177); ++ change_legacy_io_resource(dev, 3, 0x376, 0x376); + } + } + break; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213347.919934573@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + npiggin@suse.de, + hugh@veritas.com, + pbadari@us.ibm.com +Subject: [patch 09/31] mm: fix madvise infinine loop +Content-Disposition: inline; filename=mm-fix-madvise-infinine-loop.patch +Content-Length: 1332 +Lines: 47 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Nick Piggin + +madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the +call covers a region from the start of a vma, and extending past that vma. + +Signed-off-by: Nick Piggin +Cc: Badari Pulavarty +Acked-by: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + mm/madvise.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_a + * Other filesystems return -ENOSYS. + */ + static long madvise_remove(struct vm_area_struct *vma, ++ struct vm_area_struct **prev, + unsigned long start, unsigned long end) + { + struct address_space *mapping; + loff_t offset, endoff; + ++ *prev = vma; ++ + if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) + return -EINVAL; + +@@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, + error = madvise_behavior(vma, prev, start, end, behavior); + break; + case MADV_REMOVE: +- error = madvise_remove(vma, start, end); ++ error = madvise_remove(vma, prev, start, end); + break; + + case MADV_WILLNEED: + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.039933589@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern +Subject: [patch 10/31] EHCI: add delay to bus_resume before accessing ports +Content-Disposition: inline; filename=ehci-add-delay-to-bus_resume-before-accessing-ports.patch +Content-Length: 1059 +Lines: 33 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +This patch (as870) adds a delay to ehci-hcd's bus_resume routine. +Apparently there are controllers and/or BIOSes out there which need +such a delay to get the ports back into their correct state. This +fixes Bugzilla #8190. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -134,6 +134,10 @@ static int ehci_bus_resume (struct usb_h + /* restore CMD_RUN, framelist size, and irq threshold */ + writel (ehci->command, &ehci->regs->command); + ++ /* Some controller/firmware combinations need a delay during which ++ * they set up the port statuses. See Bugzilla #8190. */ ++ mdelay(8); ++ + /* manually resume the ports we suspended during bus_suspend() */ + i = HCS_N_PORTS (ehci->hcs_params); + while (i--) { + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.171618701@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mingo@elte.hu, + zilvinas@wilibox.com +Subject: [patch 11/31] initialise pi_lock if CONFIG_RT_MUTEXES=N +Content-Disposition: inline; filename=initialise-pi_lock-if-config_rt_mutexes-n.patch +Content-Length: 778 +Lines: 31 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Zilvinas Valinskas + +Fixes a bogus lockdep warning which causes lockdep to disable itself. + +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -933,8 +933,8 @@ asmlinkage long sys_set_tid_address(int + + static inline void rt_mutex_init_task(struct task_struct *p) + { +-#ifdef CONFIG_RT_MUTEXES + spin_lock_init(&p->pi_lock); ++#ifdef CONFIG_RT_MUTEXES + plist_head_init(&p->pi_waiters, &p->pi_lock); + p->pi_blocked_on = NULL; + #endif + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.297599620@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:30:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + tglx@linutronix.de, + mingo@elte.hu +Subject: [patch 12/31] futex: PI state locking fix +Content-Disposition: inline; filename=futex-pi-state-locking-fix.patch +Content-Length: 1037 +Lines: 39 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ingo Molnar + +Testing of -rt by IBM uncovered a locking bug in wake_futex_pi(): the PI +state needs to be locked before we access it. + +Signed-off-by: Ingo Molnar +Acked-by: Thomas Gleixner +Cc: Chuck Ebbert +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -565,6 +565,7 @@ static int wake_futex_pi(u32 __user *uad + if (!pi_state) + return -EINVAL; + ++ spin_lock(&pi_state->pi_mutex.wait_lock); + new_owner = rt_mutex_next_owner(&pi_state->pi_mutex); + + /* +@@ -604,6 +605,7 @@ static int wake_futex_pi(u32 __user *uad + pi_state->owner = new_owner; + spin_unlock_irq(&new_owner->pi_lock); + ++ spin_unlock(&pi_state->pi_mutex.wait_lock); + rt_mutex_unlock(&pi_state->pi_mutex); + + return 0; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.427882223@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + olof@lixom.net, + Trond.Myklebust@netapp.com, + trond.myklebust@fys.uio.no +Subject: [patch 13/31] nfs: nfs_getattr() cant call nfs_sync_mapping_range() for non-regular files +Content-Disposition: inline; filename=nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch +Content-Length: 1113 +Lines: 35 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Trond Myklebust + +Looks like we need a check in nfs_getattr() for a regular file. It makes +no sense to call nfs_sync_mapping_range() on anything else. I think that +should fix your problem: it will stop the NFS client from interfering +with dirty pages on that inode's mapping. + +Signed-off-by: Trond Myklebust +Acked-by: Olof Johansson +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -422,7 +422,8 @@ int nfs_getattr(struct vfsmount *mnt, st + int err; + + /* Flush out writes to the server in order to update c/mtime */ +- nfs_sync_mapping_range(inode->i_mapping, 0, 0, FLUSH_NOCOMMIT); ++ if (S_ISREG(inode->i_mode)) ++ nfs_sync_mapping_range(inode->i_mapping, 0, 0, FLUSH_NOCOMMIT); + + /* + * We may force a getattr if the user cares about atime. + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.561175472@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mingo@elte.hu, + tglx@linutronix.de +Subject: [patch 14/31] hrtimer: prevent overrun DoS in hrtimer_forward() +Content-Disposition: inline; filename=hrtimer-prevent-overrun-dos-in-hrtimer_forward.patch +Content-Length: 1220 +Lines: 42 + + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Thomas Gleixner + +hrtimer_forward() does not check for the possible overflow of +timer->expires. This can happen on 64 bit machines with large interval +values and results currently in an endless loop in the softirq because the +expiry value becomes negative and therefor the timer is expired all the +time. + +Check for this condition and set the expiry value to the max. expiry time +in the future. The fix should be applied to stable kernel series as well. + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -332,6 +332,12 @@ hrtimer_forward(struct hrtimer *timer, k + orun++; + } + timer->expires = ktime_add(timer->expires, interval); ++ /* ++ * Make sure, that the result did not wrap with a very large ++ * interval. ++ */ ++ if (timer->expires.tv64 < 0) ++ timer->expires = ktime_set(KTIME_SEC_MAX, 0); + + return orun; + } + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.699410198@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + mingo@elte.hu, + tglx@linutronix.de +Subject: [patch 15/31] fix MTIME_SEC_MAX on 32-bit +Content-Disposition: inline; filename=fix-mtime_sec_max-on-32-bit.patch +Content-Length: 843 +Lines: 33 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Thomas Gleixner + +The maximum seconds value we can handle on 32bit is LONG_MAX. + +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ktime.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/linux/ktime.h ++++ b/include/linux/ktime.h +@@ -57,7 +57,11 @@ typedef union { + } ktime_t; + + #define KTIME_MAX ((s64)~((u64)1 << 63)) +-#define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#if (BITS_PER_LONG == 64) ++# define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#else ++# define KTIME_SEC_MAX LONG_MAX ++#endif + + /* + * ktime_t definitions when using the 64-bit scalar representation: + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:48 2007 +Message-Id: <20070319213348.821890149@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + torvalds@linux-foundation.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + neilb@cse.unsw.edu.au, + adi@hexapodia.org, + ego@in.ibm.com +Subject: [patch 16/31] fix read past end of array in md/linear.c +Content-Disposition: inline; filename=fix-read-past-end-of-array-in-md-linear.c.patch +Content-Length: 1672 +Lines: 51 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Andy Isaacson + +When iterating through an array, one must be careful to test one's index +variable rather than another similarly-named variable. + +The loop will read off the end of conf->disks[] in the following +(pathological) case: + +% dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1 +% for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done +% ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4 +# mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234] + +adding some printks, I saw this: +[42949374.960000] hash_spacing = 821120 +[42949374.960000] cnt = 4 +[42949374.960000] min_spacing = 801 +[42949374.960000] j=0 size=820928 sz=820928 +[42949374.960000] i=0 sz=820928 hash_spacing=820928 +[42949374.960000] j=1 size=64 sz=64 +[42949374.960000] j=2 size=64 sz=128 +[42949374.960000] j=3 size=64 sz=192 +[42949374.960000] j=4 size=1515870810 sz=1515871002 + +Cc: Gautham R Shenoy +Acked-by: Neil Brown +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/linear.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/linear.c ++++ b/drivers/md/linear.c +@@ -188,7 +188,7 @@ static linear_conf_t *linear_conf(mddev_ + for (i=0; i < cnt-1 ; i++) { + sector_t sz = 0; + int j; +- for (j=i; idisks[j].size; + if (sz >= min_spacing && sz < conf->hash_spacing) + conf->hash_spacing = sz; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213348.951394107@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Daniel Drake +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Francois Romieu , + Jeff Garzik +Subject: [patch 17/31] r8169: fix a race between PCI probe and dev_open +Content-Disposition: inline; filename=r8169-fix-a-race-between-pci-probe-and-dev_open.patch +Content-Length: 1151 +Lines: 42 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +Initialize the timer with the rest of the private-struct. + +Signed-off-by: Francois Romieu +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -1369,11 +1369,7 @@ static inline void rtl8169_request_timer + (tp->phy_version >= RTL_GIGA_PHY_VER_H)) + return; + +- init_timer(timer); +- timer->expires = jiffies + RTL8169_PHY_TIMEOUT; +- timer->data = (unsigned long)(dev); +- timer->function = rtl8169_phy_timer; +- add_timer(timer); ++ mod_timer(timer, jiffies + RTL8169_PHY_TIMEOUT); + } + + #ifdef CONFIG_NET_POLL_CONTROLLER +@@ -1686,6 +1682,10 @@ rtl8169_init_one(struct pci_dev *pdev, c + tp->mmio_addr = ioaddr; + tp->align = rtl_cfg_info[ent->driver_data].align; + ++ init_timer(&tp->timer); ++ tp->timer.data = (unsigned long) dev; ++ tp->timer.function = rtl8169_phy_timer; ++ + spin_lock_init(&tp->lock); + + rc = register_netdev(dev); + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.143139913@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Joy Latten , + "David S. Miller" +Subject: [patch 18/31] Fix extraneous IPSEC larval SA creation +Content-Disposition: inline; filename=fix-extraneous-ipsec-larval-sa-creation.patch +Content-Length: 1571 +Lines: 49 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Joy Latten + +[XFRM]: Fix missing protocol comparison of larval SAs. + +I noticed that in xfrm_state_add we look for the larval SA in a few +places without checking for protocol match. So when using both +AH and ESP, whichever one gets added first, deletes the larval SA. +It seems AH always gets added first and ESP is always the larval +SA's protocol since the xfrm->tmpl has it first. Thus causing the +additional km_query() + +Adding the check eliminates accidental double SA creation. + +Signed-off-by: Joy Latten +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_state.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -707,7 +707,8 @@ static struct xfrm_state *__find_acq_cor + x->props.mode != mode || + x->props.family != family || + x->km.state != XFRM_STATE_ACQ || +- x->id.spi != 0) ++ x->id.spi != 0 || ++ x->id.proto != proto) + continue; + + switch (family) { +@@ -804,7 +805,8 @@ int xfrm_state_add(struct xfrm_state *x) + + if (use_spi && x->km.seq) { + x1 = __xfrm_find_acq_byseq(x->km.seq); +- if (x1 && xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family)) { ++ if (x1 && ((x1->id.proto != x->id.proto) || ++ xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { + xfrm_state_put(x1); + x1 = NULL; + } + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.215182850@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Robert Olsson , + Patrick McHardy , + "David S. Miller" +Subject: [patch 19/31] : Fix GFP_KERNEL with preemption disabled in fib_trie +Content-Disposition: inline; filename=fix-gfp_kernel-with-preemption-disabled-in-fib_trie.patch +Content-Length: 1612 +Lines: 51 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Robert Olsson + +[IPV4]: Do not disable preemption in trie_leaf_remove(). + +Hello, Just discussed this Patrick... + +We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete +both are holding RTNL. So there shouldn't be need for this preempt stuff. +This is assumed to a leftover from an older RCU-take. + +> Mhh .. I think I just remembered something - me incorrectly suggesting +> to add it there while we were talking about this at OLS :) IIRC the +> idea was to make sure tnode_free (which at that time didn't use +> call_rcu) wouldn't free memory while still in use in a rcu read-side +> critical section. It should have been synchronize_rcu of course, +> but with tnode_free using call_rcu it seems to be completely +> unnecessary. So I guess we can simply remove it. + +Signed-off-by: Robert Olsson +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_trie.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1528,7 +1528,6 @@ static int trie_leaf_remove(struct trie + t->revision++; + t->size--; + +- preempt_disable(); + tp = NODE_PARENT(n); + tnode_free((struct tnode *) n); + +@@ -1538,7 +1537,6 @@ static int trie_leaf_remove(struct trie + rcu_assign_pointer(t->trie, trie_rebalance(t, tp)); + } else + rcu_assign_pointer(t->trie, NULL); +- preempt_enable(); + + return 1; + } + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.345124604@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Masayuki Nakagawa , + "David S. Miller" +Subject: [patch 20/31] Fix ipv6 flow label inheritance +Content-Disposition: inline; filename=fix-ipv6-flow-label-inheritance.patch +Content-Length: 1072 +Lines: 36 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Masayuki Nakagawa + +[IPV6]: ipv6_fl_socklist is inadvertently shared. + +The ipv6_fl_socklist from listening socket is inadvertently shared +with new socket created for connection. This leads to a variety of +interesting, but fatal, bugs. For example, removing one of the +sockets may lead to the other socket's encountering a page fault +when the now freed list is referenced. + +The fix is to not share the flow label list with the new socket. + +Signed-off-by: Masayuki Nakagawa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/tcp_ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_soc + First: no IPv4 options. + */ + newinet->opt = NULL; ++ newnp->ipv6_fl_list = NULL; + + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.477251423@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + Alexey Dobriyan , + "David S. Miller" +Subject: [patch 21/31] Copy over mac_len when cloning an skb +Content-Disposition: inline; filename=copy-over-mac_len-when-cloning-an-skb.patch +Content-Length: 760 +Lines: 32 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + + +From: Alexey Dobriyan + +[NET]: Copy mac_len in skb_clone() as well + +ANK says: "It is rarely used, that's wy it was not noticed. +But in the places, where it is used, it should be disaster." + +Signed-off-by: Alexey Dobriyan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -464,6 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff + memcpy(n->cb, skb->cb, sizeof(skb->cb)); + C(len); + C(data_len); ++ C(mac_len); + C(csum); + C(local_df); + n->cloned = 1; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.614522272@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 22/31] Fix sparc64 hugepage bugs +Content-Disposition: inline; filename=fix-sparc64-hugepage-bugs.patch +Content-Length: 1081 +Lines: 39 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Miller + +[SPARC64]: Add missing HPAGE_MASK masks on address parameters. + +These pte loops all assume the passed in address is HPAGE +aligned, make sure that is actually true. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/mm/hugetlbpage.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/sparc64/mm/hugetlbpage.c ++++ b/arch/sparc64/mm/hugetlbpage.c +@@ -248,6 +248,7 @@ void set_huge_pte_at(struct mm_struct *m + if (!pte_present(*ptep) && pte_present(entry)) + mm->context.huge_pte_count++; + ++ addr &= HPAGE_MASK; + for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) { + set_pte_at(mm, addr, ptep, entry); + ptep++; +@@ -266,6 +267,8 @@ pte_t huge_ptep_get_and_clear(struct mm_ + if (pte_present(entry)) + mm->context.huge_pte_count--; + ++ addr &= HPAGE_MASK; ++ + for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) { + pte_clear(mm, addr, ptep); + addr += PAGE_SIZE; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.742780733@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + bunk@stusta.de, + "David S. Miller" +Subject: [patch 23/31] Fix page allocation debugging on sparc64 +Content-Disposition: inline; filename=fix-page-allocation-debugging-on-sparc64.patch +Content-Length: 5136 +Lines: 164 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Miller + +[SPARC64]: Get DEBUG_PAGEALLOC working again. + +We have to make sure to use base-pagesize TLB entries even during the +early transition period where we need TLB miss handling but don't have +the kernel page tables setup yet for the linear region. + +Also, it is necessary therefore to not use the 4MB TSB for these +translations, and instead use the normal kernel TSB. This allows us +to also get rid of the 4MB tsb for debug builds which shrinks the +kernel a little bit. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/ktlb.S | 8 +++++++- + arch/sparc64/mm/init.c | 30 ++++++++++++++++++++++++++++-- + include/asm-sparc64/tsb.h | 2 ++ + 3 files changed, 37 insertions(+), 3 deletions(-) + +--- a/arch/sparc64/kernel/ktlb.S ++++ b/arch/sparc64/kernel/ktlb.S +@@ -138,9 +138,15 @@ kvmap_dtlb_4v: + brgez,pn %g4, kvmap_dtlb_nonlinear + nop + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ /* Index through the base page size TSB even for linear ++ * mappings when using page allocation debugging. ++ */ ++ KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) ++#else + /* Correct TAG_TARGET is already in %g6, check 4mb TSB. */ + KERN_TSB4M_LOOKUP_TL1(%g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) +- ++#endif + /* TSB entry address left in %g1, lookup linear PTE. + * Must preserve %g1 and %g6 (TAG). + */ +--- a/arch/sparc64/mm/init.c ++++ b/arch/sparc64/mm/init.c +@@ -59,8 +59,10 @@ unsigned long kern_linear_pte_xor[2] __r + */ + unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* A special kernel TSB for 4MB and 256MB linear mappings. */ + struct tsb swapper_4m_tsb[KERNEL_TSB4M_NENTRIES]; ++#endif + + #define MAX_BANKS 32 + +@@ -1301,7 +1303,12 @@ static void __init tsb_phys_patch(void) + } + + /* Don't mark as init, we give this to the Hypervisor. */ +-static struct hv_tsb_descr ktsb_descr[2]; ++#ifndef CONFIG_DEBUG_PAGEALLOC ++#define NUM_KTSB_DESCR 2 ++#else ++#define NUM_KTSB_DESCR 1 ++#endif ++static struct hv_tsb_descr ktsb_descr[NUM_KTSB_DESCR]; + extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; + + static void __init sun4v_ktsb_init(void) +@@ -1340,6 +1347,7 @@ static void __init sun4v_ktsb_init(void) + ktsb_descr[0].tsb_base = ktsb_pa; + ktsb_descr[0].resv = 0; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* Second KTSB for 4MB/256MB mappings. */ + ktsb_pa = (kern_base + + ((unsigned long)&swapper_4m_tsb[0] - KERNBASE)); +@@ -1352,6 +1360,7 @@ static void __init sun4v_ktsb_init(void) + ktsb_descr[1].ctx_idx = 0; + ktsb_descr[1].tsb_base = ktsb_pa; + ktsb_descr[1].resv = 0; ++#endif + } + + void __cpuinit sun4v_ktsb_register(void) +@@ -1364,7 +1373,7 @@ void __cpuinit sun4v_ktsb_register(void) + pa = kern_base + ((unsigned long)&ktsb_descr[0] - KERNBASE); + + func = HV_FAST_MMU_TSB_CTX0; +- arg0 = 2; ++ arg0 = NUM_KTSB_DESCR; + arg1 = pa; + __asm__ __volatile__("ta %6" + : "=&r" (func), "=&r" (arg0), "=&r" (arg1) +@@ -1393,7 +1402,9 @@ void __init paging_init(void) + + /* Invalidate both kernel TSBs. */ + memset(swapper_tsb, 0x40, sizeof(swapper_tsb)); ++#ifndef CONFIG_DEBUG_PAGEALLOC + memset(swapper_4m_tsb, 0x40, sizeof(swapper_4m_tsb)); ++#endif + + if (tlb_type == hypervisor) + sun4v_pgprot_init(); +@@ -1725,8 +1736,13 @@ static void __init sun4u_pgprot_init(voi + pg_iobits = (_PAGE_VALID | _PAGE_PRESENT_4U | __DIRTY_BITS_4U | + __ACCESS_BITS_4U | _PAGE_E_4U); + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZBITS_4U) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZ4MB_4U) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[0] |= (_PAGE_CP_4U | _PAGE_CV_4U | + _PAGE_P_4U | _PAGE_W_4U); + +@@ -1769,13 +1785,23 @@ static void __init sun4v_pgprot_init(voi + _PAGE_E = _PAGE_E_4V; + _PAGE_CACHE = _PAGE_CACHE_4V; + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZBITS_4V) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[0] = (_PAGE_VALID | _PAGE_SZ4MB_4V) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[0] |= (_PAGE_CP_4V | _PAGE_CV_4V | + _PAGE_P_4V | _PAGE_W_4V); + ++#ifdef CONFIG_DEBUG_PAGEALLOC ++ kern_linear_pte_xor[1] = (_PAGE_VALID | _PAGE_SZBITS_4V) ^ ++ 0xfffff80000000000; ++#else + kern_linear_pte_xor[1] = (_PAGE_VALID | _PAGE_SZ256MB_4V) ^ + 0xfffff80000000000; ++#endif + kern_linear_pte_xor[1] |= (_PAGE_CP_4V | _PAGE_CV_4V | + _PAGE_P_4V | _PAGE_W_4V); + +--- a/include/asm-sparc64/tsb.h ++++ b/include/asm-sparc64/tsb.h +@@ -264,6 +264,7 @@ extern struct tsb_phys_patch_entry __tsb + be,a,pt %xcc, OK_LABEL; \ + mov REG4, REG1; + ++#ifndef CONFIG_DEBUG_PAGEALLOC + /* This version uses a trick, the TAG is already (VADDR >> 22) so + * we can make use of that for the index computation. + */ +@@ -277,5 +278,6 @@ extern struct tsb_phys_patch_entry __tsb + cmp REG3, TAG; \ + be,a,pt %xcc, OK_LABEL; \ + mov REG4, REG1; ++#endif + + #endif /* !(_SPARC64_TSB_H) */ + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:49 2007 +Message-Id: <20070319213349.875022100@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + "David S. Miller" +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + netdev@vger.kernel.org, + Guennadi Liakhovetski , + irda-users@lists.sourceforge.net, + Samuel Ortiz +Subject: [patch 24/31] IrDA: irttp_dup spin_lock initialisation +Content-Disposition: inline; filename=irda-irttp_dup-spin_lock-initialisation.patch +Content-Length: 817 +Lines: 33 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Samuel Ortiz + +Without this initialization one gets + +kernel BUG at kernel/rtmutex_common.h:80! + +This patch should also be included in the -stable kernel. + +Signed-off-by: G. Liakhovetski +Signed-off-by: Samuel Ortiz +Cc: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/irttp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -1455,6 +1455,7 @@ struct tsap_cb *irttp_dup(struct tsap_cb + + /* Not everything should be copied */ + new->notify.instance = instance; ++ spin_lock_init(&new->lock); + init_timer(&new->todo_timer); + + skb_queue_head_init(&new->rx_queue); + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.007741216@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dmitry Torokhov +Subject: [patch 25/31] Input: i8042 - really suppress ACK/NAK during panic blink +Content-Disposition: inline; filename=input-i8042-really-suppress-ack-nak-during-panic-blink.patch +Content-Length: 1441 +Lines: 51 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Dmitry Torokhov + +Input: i8042 - really suppress ACK/NAK during panic blink + +On some boxes panic blink procedure manages to send both bytes +to keyboard contoller before getting first ACK so we need to +make i8042_suppress_kbd_ack a counter instead of boolean. + +Cc: Chuck Ebbert +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/input/serio/i8042.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -371,7 +371,7 @@ static irqreturn_t i8042_interrupt(int i + if (unlikely(i8042_suppress_kbd_ack)) + if (port_no == I8042_KBD_PORT_NO && + (data == 0xfa || data == 0xfe)) { +- i8042_suppress_kbd_ack = 0; ++ i8042_suppress_kbd_ack--; + goto out; + } + +@@ -838,13 +838,14 @@ static long i8042_panic_blink(long count + led ^= 0x01 | 0x04; + while (i8042_read_status() & I8042_STR_IBF) + DELAY; +- i8042_suppress_kbd_ack = 1; ++ dbg("%02x -> i8042 (panic blink)", 0xed); ++ i8042_suppress_kbd_ack = 2; + i8042_write_data(0xed); /* set leds */ + DELAY; + while (i8042_read_status() & I8042_STR_IBF) + DELAY; + DELAY; +- i8042_suppress_kbd_ack = 1; ++ dbg("%02x -> i8042 (panic blink)", led); + i8042_write_data(led); + DELAY; + last_blink = count; + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.140632153@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Takashi Iwai , + Jaroslav Kysela +Subject: [patch 26/31] hda-intel - Fix codec probe with ATI controllers +Content-Disposition: inline; filename=hda-intel-fix-codec-probe-with-ati-controllers.patch +Content-Length: 1907 +Lines: 61 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Takashi Iwai + +[ALSA] hda-intel - Fix codec probe with ATI contorllers + +ATI controllers may have up to 4 codecs while ICH up to 3. +Thus the earlier fix to change AZX_MAX_CODECS to 3 cause a regression +on some devices that have the audio codec at bit#3. +Now max codecs is defined according to the driver type, either 3 or 4. +Currently 4 is set only to ATI chips. Other might need the same +change, too. + +Cc: Chuck Ebbert +Signed-off-by: Takashi Iwai +Signed-off-by: Jaroslav Kysela + +--- + sound/pci/hda/hda_intel.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -199,7 +199,6 @@ enum { SDI0, SDI1, SDI2, SDI3, SDO0, SDO + + /* STATESTS int mask: SD2,SD1,SD0 */ + #define STATESTS_INT_MASK 0x07 +-#define AZX_MAX_CODECS 3 + + /* SD_CTL bits */ + #define SD_CTL_STREAM_RESET 0x01 /* stream reset bit */ +@@ -966,6 +965,16 @@ static int azx_setup_controller(struct a + * Codec initialization + */ + ++static unsigned int azx_max_codecs[] __devinitdata = { ++ [AZX_DRIVER_ICH] = 3, ++ [AZX_DRIVER_ATI] = 4, ++ [AZX_DRIVER_ATIHDMI] = 4, ++ [AZX_DRIVER_VIA] = 3, /* FIXME: correct? */ ++ [AZX_DRIVER_SIS] = 3, /* FIXME: correct? */ ++ [AZX_DRIVER_ULI] = 3, /* FIXME: correct? */ ++ [AZX_DRIVER_NVIDIA] = 3, /* FIXME: correct? */ ++}; ++ + static int __devinit azx_codec_create(struct azx *chip, const char *model) + { + struct hda_bus_template bus_temp; +@@ -982,7 +991,7 @@ static int __devinit azx_codec_create(st + return err; + + codecs = 0; +- for (c = 0; c < AZX_MAX_CODECS; c++) { ++ for (c = 0; c < azx_max_codecs[chip->driver_type]; c++) { + if ((chip->codec_mask & (1 << c)) & probe_mask) { + err = snd_hda_codec_new(chip->bus, c, NULL); + if (err < 0) + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.268421247@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ankita Garg , + Nick Piggin , + William Irwin +Subject: [patch 27/31] oom fix: prevent oom from killing a process with children/sibling unkillable +Content-Disposition: inline; filename=oom-fix-prevent-oom-from-killing-a-process-with-children-sibling-unkillable.patch +Content-Length: 1142 +Lines: 37 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ankita Garg + +[PATCH] oom fix: prevent oom from killing a process with children/sibling unkillable + +Looking at oom_kill.c, found that the intention to not kill the selected +process if any of its children/siblings has OOM_DISABLE set, is not being +met. + +Signed-off-by: Ankita Garg +Cc: Chuck Ebbert +Acked-by: Nick Piggin +Acked-by: William Irwin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/oom_kill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -320,7 +320,7 @@ static int oom_kill_task(struct task_str + * Don't kill the process if any threads are set to OOM_DISABLE + */ + do_each_thread(g, q) { +- if (q->mm == mm && p->oomkilladj == OOM_DISABLE) ++ if (q->mm == mm && q->oomkilladj == OOM_DISABLE) + return 1; + } while_each_thread(g, q); + + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.454396646@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Zach Brown , + Benjamin LaHaise , + Leonid Ananiev , + Nick Piggin +Subject: [patch 28/31] dio: invalidate clean pages before dio write +Content-Disposition: inline; filename=dio-invalidate-clean-pages-before-dio-write.patch +Content-Length: 4482 +Lines: 123 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Zach Brown + +[PATCH] dio: invalidate clean pages before dio write + +This patch fixes a user-triggerable oops that was reported by Leonid +Ananiev as archived at http://lkml.org/lkml/2007/2/8/337. + +dio writes invalidate clean pages that intersect the written region so that +subsequent buffered reads go to disk to read the new data. If this fails +the interface tries to tell the caller that the cache is inconsistent by +returning EIO. + +Before this patch we had the problem where this invalidation failure would +clobber -EIOCBQUEUED as it made its way from fs/direct-io.c to fs/aio.c. +Both fs/aio.c and bio completion call aio_complete() and we reference freed +memory, usually oopsing. + +This patch addresses this problem by invalidating before the write so that +we can cleanly return -EIO before ->direct_IO() has had a chance to return +-EIOCBQUEUED. + +There is a compromise here. During the dio write we can fault in mmap()ed +pages which intersect the written range with get_user_pages() if the user +provided them for the source buffer. This is a crazy thing to do, but we +can make it mostly work in most cases by trying the invalidation again. +The compromise is that we won't return an error if this second invalidation +fails if it's an AIO write and we have -EIOCBQUEUED. + +This was tested by having two processes race performing large O_DIRECT and +buffered ordered writes. Within minutes ext3 would see a race between +ext3_releasepage() and jbd holding a reference on ordered data buffers and +would cause invalidation to fail, panicing the box. The test can be found +in the 'aio_dio_bugs' test group in test.kernel.org/autotest. After this +patch the test passes. + +Signed-off-by: Zach Brown +Signed-off-by: Benjamin LaHaise +Cc: Chuck Ebbert +Cc: Leonid Ananiev +Cc: Nick Piggin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 46 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2393,7 +2393,8 @@ generic_file_direct_IO(int rw, struct ki + struct file *file = iocb->ki_filp; + struct address_space *mapping = file->f_mapping; + ssize_t retval; +- size_t write_len = 0; ++ size_t write_len; ++ pgoff_t end = 0; /* silence gcc */ + + /* + * If it's a write, unmap all mmappings of the file up-front. This +@@ -2402,23 +2403,46 @@ generic_file_direct_IO(int rw, struct ki + */ + if (rw == WRITE) { + write_len = iov_length(iov, nr_segs); ++ end = (offset + write_len - 1) >> PAGE_CACHE_SHIFT; + if (mapping_mapped(mapping)) + unmap_mapping_range(mapping, offset, write_len, 0); + } + + retval = filemap_write_and_wait(mapping); +- if (retval == 0) { +- retval = mapping->a_ops->direct_IO(rw, iocb, iov, +- offset, nr_segs); +- if (rw == WRITE && mapping->nrpages) { +- pgoff_t end = (offset + write_len - 1) +- >> PAGE_CACHE_SHIFT; +- int err = invalidate_inode_pages2_range(mapping, ++ if (retval) ++ goto out; ++ ++ /* ++ * After a write we want buffered reads to be sure to go to disk to get ++ * the new data. We invalidate clean cached page from the region we're ++ * about to write. We do this *before* the write so that we can return ++ * -EIO without clobbering -EIOCBQUEUED from ->direct_IO(). ++ */ ++ if (rw == WRITE && mapping->nrpages) { ++ retval = invalidate_inode_pages2_range(mapping, + offset >> PAGE_CACHE_SHIFT, end); +- if (err) +- retval = err; +- } ++ if (retval) ++ goto out; ++ } ++ ++ retval = mapping->a_ops->direct_IO(rw, iocb, iov, offset, nr_segs); ++ if (retval) ++ goto out; ++ ++ /* ++ * Finally, try again to invalidate clean pages which might have been ++ * faulted in by get_user_pages() if the source of the write was an ++ * mmap()ed region of the file we're writing. That's a pretty crazy ++ * thing to do, so we don't support it 100%. If this invalidation ++ * fails and we have -EIOCBQUEUED we ignore the failure. ++ */ ++ if (rw == WRITE && mapping->nrpages) { ++ int err = invalidate_inode_pages2_range(mapping, ++ offset >> PAGE_CACHE_SHIFT, end); ++ if (err && retval >= 0) ++ retval = err; + } ++out: + return retval; + } + + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.538411491@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dmitry Torokhov +Subject: [patch 29/31] Input: i8042 - fix AUX IRQ delivery check +Content-Disposition: inline; filename=input-i8042-fix-aux-irq-delivery-check.patch +Content-Length: 1301 +Lines: 50 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Dmitry Torokhov + +Input: i8042 - fix AUX IRQ delivery check + +On boxes that do not implement AUX LOOP command we can not +verify AUX IRQ delivery and must assume that it is wired +properly. + +Cc: Chuck Ebbert +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -543,6 +543,7 @@ static int __devinit i8042_check_aux(voi + { + int retval = -1; + int irq_registered = 0; ++ int aux_loop_broken = 0; + unsigned long flags; + unsigned char param; + +@@ -572,6 +573,8 @@ static int __devinit i8042_check_aux(voi + if (i8042_command(¶m, I8042_CMD_AUX_TEST) || + (param && param != 0xfa && param != 0xff)) + return -1; ++ ++ aux_loop_broken = 1; + } + + /* +@@ -595,7 +598,7 @@ static int __devinit i8042_check_aux(voi + * used it for a PCI card or somethig else. + */ + +- if (i8042_noloop) { ++ if (i8042_noloop || aux_loop_broken) { + /* + * Without LOOP command we can't test AUX IRQ delivery. Assume the port + * is working and hope we are right. + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.671627630@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Smalley , + James Morris , + Al Viro +Subject: [patch 30/31] fix deadlock in audit_log_task_context() +Content-Disposition: inline; filename=fix-deadlock-in-audit_log_task_context.patch +Content-Length: 1553 +Lines: 66 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Al Viro + +[PATCH] fix deadlock in audit_log_task_context() + +GFP_KERNEL allocations in non-blocking context; fixed by killing +an idiotic use of security_getprocattr(). + +Acked-by: Stephen Smalley +Acked-by: James Morris +Cc: Chuck Ebbert +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -734,28 +734,26 @@ static inline void audit_free_context(st + void audit_log_task_context(struct audit_buffer *ab) + { + char *ctx = NULL; +- ssize_t len = 0; ++ unsigned len; ++ int error; ++ u32 sid; + +- len = security_getprocattr(current, "current", NULL, 0); +- if (len < 0) { +- if (len != -EINVAL) ++ selinux_get_task_sid(current, &sid); ++ if (!sid) ++ return; ++ ++ error = selinux_sid_to_string(sid, &ctx, &len); ++ if (error) { ++ if (error != -EINVAL) + goto error_path; + return; + } + +- ctx = kmalloc(len, GFP_KERNEL); +- if (!ctx) +- goto error_path; +- +- len = security_getprocattr(current, "current", ctx, len); +- if (len < 0 ) +- goto error_path; +- + audit_log_format(ab, " subj=%s", ctx); ++ kfree(ctx); + return; + + error_path: +- kfree(ctx); + audit_panic("error in audit_log_task_context"); + return; + } + +-- + +From gregkh@mini.kroah.org Mon Mar 19 14:33:50 2007 +Message-Id: <20070319213350.804073228@mini.kroah.org> +References: <20070319213047.710101653@mini.kroah.org> +User-Agent: quilt/0.46-1 +Date: Mon, 19 Mar 2007 14:31:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Greg KH , + uml-devel , + Jeff Dike +Subject: [patch 31/31] UML - arch_prctl should set thread fs +Content-Disposition: inline; filename=uml-arch_prctl-should-set-thread-fs.patch +Content-Length: 7241 +Lines: 244 + +-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jeff Dike + +x86_64 needs some TLS fixes. What was missing was remembering the child +thread id during clone and stuffing it into the child during each context +switch. + +The %fs value is stored separately in the thread structure since the host +controls what effect it has on the actual register file. The host also needs +to store it in its own thread struct, so we need the value kept outside the +register file. + +arch_prctl_skas was fixed to call PTRACE_ARCH_PRCTL appropriately. There is +some saving and restoring of registers in the ARCH_SET_* cases so that the +correct set of registers are changed on the host and restored to the process +when it runs again. + +Signed-off-by: Jeff Dike +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/include/os.h | 2 + arch/um/os-Linux/sys-x86_64/Makefile | 2 + arch/um/os-Linux/sys-x86_64/prctl.c | 12 +++++ + arch/um/sys-x86_64/syscalls.c | 76 ++++++++++++++++++++++++++--------- + arch/um/sys-x86_64/tls.c | 11 +++-- + include/asm-um/processor-x86_64.h | 6 +- + include/asm-um/ptrace-x86_64.h | 6 -- + 7 files changed, 86 insertions(+), 29 deletions(-) + +--- a/arch/um/include/os.h ++++ b/arch/um/include/os.h +@@ -341,4 +341,6 @@ extern void maybe_sigio_broken(int fd, i + extern void sig_handler_common_skas(int sig, void *sc_ptr); + extern void user_signal(int sig, union uml_pt_regs *regs, int pid); + ++extern int os_arch_prctl(int pid, int code, unsigned long *addr); ++ + #endif +--- a/arch/um/os-Linux/sys-x86_64/Makefile ++++ b/arch/um/os-Linux/sys-x86_64/Makefile +@@ -3,7 +3,7 @@ + # Licensed under the GPL + # + +-obj-$(CONFIG_MODE_SKAS) = registers.o signal.o ++obj-$(CONFIG_MODE_SKAS) = registers.o prctl.o signal.o + + USER_OBJS := $(obj-y) + +--- /dev/null ++++ b/arch/um/os-Linux/sys-x86_64/prctl.c +@@ -0,0 +1,12 @@ ++/* ++ * Copyright (C) 2007 Jeff Dike (jdike@{addtoit.com,linux.intel.com}) ++ * Licensed under the GPL ++ */ ++ ++#include ++#include ++ ++int os_arch_prctl(int pid, int code, unsigned long *addr) ++{ ++ return ptrace(PTRACE_ARCH_PRCTL, pid, (unsigned long) addr, code); ++} +--- a/arch/um/sys-x86_64/syscalls.c ++++ b/arch/um/sys-x86_64/syscalls.c +@@ -16,6 +16,7 @@ + #include "asm/prctl.h" /* XXX This should get the constants from libc */ + #include "choose-mode.h" + #include "kern.h" ++#include "os.h" + + asmlinkage long sys_uname64(struct new_utsname __user * name) + { +@@ -58,40 +59,70 @@ static long arch_prctl_tt(int code, unsi + + #ifdef CONFIG_MODE_SKAS + +-/* XXX: Must also call arch_prctl in the host, beside saving the segment bases! */ +-static long arch_prctl_skas(int code, unsigned long addr) ++static long arch_prctl_skas(int code, unsigned long __user *addr) + { +- long ret = 0; ++ unsigned long *ptr = addr, tmp; ++ long ret; ++ int pid = current->mm->context.skas.id.u.pid; ++ ++ /* ++ * With ARCH_SET_FS (and ARCH_SET_GS is treated similarly to ++ * be safe), we need to call arch_prctl on the host because ++ * setting %fs may result in something else happening (like a ++ * GDT being set instead). So, we let the host fiddle the ++ * registers and restore them afterwards. ++ * ++ * So, the saved registers are stored to the process (this ++ * needed because a stub may have been the last thing to run), ++ * arch_prctl is run on the host, then the registers are read ++ * back. ++ */ ++ switch(code){ ++ case ARCH_SET_FS: ++ case ARCH_SET_GS: ++ restore_registers(pid, ¤t->thread.regs.regs); ++ break; ++ case ARCH_GET_FS: ++ case ARCH_GET_GS: ++ /* ++ * With these two, we read to a local pointer and ++ * put_user it to the userspace pointer that we were ++ * given. If addr isn't valid (because it hasn't been ++ * faulted in or is just bogus), we want put_user to ++ * fault it in (or return -EFAULT) instead of having ++ * the host return -EFAULT. ++ */ ++ ptr = &tmp; ++ } ++ ++ ret = os_arch_prctl(pid, code, ptr); ++ if(ret) ++ return ret; + + switch(code){ + case ARCH_SET_FS: +- current->thread.regs.regs.skas.regs[FS_BASE / sizeof(unsigned long)] = addr; ++ current->thread.arch.fs = (unsigned long) ptr; ++ save_registers(pid, ¤t->thread.regs.regs); + break; + case ARCH_SET_GS: +- current->thread.regs.regs.skas.regs[GS_BASE / sizeof(unsigned long)] = addr; ++ save_registers(pid, ¤t->thread.regs.regs); + break; + case ARCH_GET_FS: +- ret = put_user(current->thread.regs.regs.skas. +- regs[FS_BASE / sizeof(unsigned long)], +- (unsigned long __user *)addr); +- break; ++ ret = put_user(tmp, addr); ++ break; + case ARCH_GET_GS: +- ret = put_user(current->thread.regs.regs.skas. +- regs[GS_BASE / sizeof(unsigned long)], +- (unsigned long __user *)addr); +- break; +- default: +- ret = -EINVAL; ++ ret = put_user(tmp, addr); + break; + } + +- return(ret); ++ return ret; + } + #endif + + long sys_arch_prctl(int code, unsigned long addr) + { +- return(CHOOSE_MODE_PROC(arch_prctl_tt, arch_prctl_skas, code, addr)); ++ return CHOOSE_MODE_PROC(arch_prctl_tt, arch_prctl_skas, code, ++ (unsigned long __user *) addr); + } + + long sys_clone(unsigned long clone_flags, unsigned long newsp, +@@ -105,5 +136,14 @@ long sys_clone(unsigned long clone_flags + ret = do_fork(clone_flags, newsp, ¤t->thread.regs, 0, parent_tid, + child_tid); + current->thread.forking = 0; +- return(ret); ++ return ret; + } ++ ++void arch_switch_to_skas(struct task_struct *from, struct task_struct *to) ++{ ++ if((to->thread.arch.fs == 0) || (to->mm == NULL)) ++ return; ++ ++ arch_prctl_skas(ARCH_SET_FS, (void __user *) to->thread.arch.fs); ++} ++ +--- a/arch/um/sys-x86_64/tls.c ++++ b/arch/um/sys-x86_64/tls.c +@@ -1,14 +1,17 @@ + #include "linux/sched.h" + +-void debug_arch_force_load_TLS(void) +-{ +-} +- + void clear_flushed_tls(struct task_struct *task) + { + } + + int arch_copy_tls(struct task_struct *t) + { ++ /* ++ * If CLONE_SETTLS is set, we need to save the thread id ++ * (which is argument 5, child_tid, of clone) so it can be set ++ * during context switches. ++ */ ++ t->thread.arch.fs = t->thread.regs.regs.skas.regs[R8 / sizeof(long)]; ++ + return 0; + } +--- a/include/asm-um/processor-x86_64.h ++++ b/include/asm-um/processor-x86_64.h +@@ -13,6 +13,7 @@ + struct arch_thread { + unsigned long debugregs[8]; + int debugregs_seq; ++ unsigned long fs; + struct faultinfo faultinfo; + }; + +@@ -25,8 +26,9 @@ extern inline void rep_nop(void) + #define cpu_relax() rep_nop() + + #define INIT_ARCH_THREAD { .debugregs = { [ 0 ... 7 ] = 0 }, \ +- .debugregs_seq = 0, \ +- .faultinfo = { 0, 0, 0 } } ++ .debugregs_seq = 0, \ ++ .fs = 0, \ ++ .faultinfo = { 0, 0, 0 } } + + static inline void arch_flush_thread(struct arch_thread *thread) + { +--- a/include/asm-um/ptrace-x86_64.h ++++ b/include/asm-um/ptrace-x86_64.h +@@ -81,9 +81,7 @@ static inline void arch_switch_to_tt(str + { + } + +-static inline void arch_switch_to_skas(struct task_struct *from, +- struct task_struct *to) +-{ +-} ++extern void arch_switch_to_skas(struct task_struct *from, ++ struct task_struct *to); + + #endif + +-- + diff --git a/queue-2.6.20/mm-fix-madvise-infinine-loop.patch b/review-2.6.20/mm-fix-madvise-infinine-loop.patch similarity index 100% rename from queue-2.6.20/mm-fix-madvise-infinine-loop.patch rename to review-2.6.20/mm-fix-madvise-infinine-loop.patch diff --git a/queue-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch b/review-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch similarity index 100% rename from queue-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch rename to review-2.6.20/netfilter-nfnetlink_log-fix-reference-counting.patch diff --git a/queue-2.6.20/netlabel-cipso_std_bug b/review-2.6.20/netlabel-cipso_std_bug similarity index 100% rename from queue-2.6.20/netlabel-cipso_std_bug rename to review-2.6.20/netlabel-cipso_std_bug diff --git a/queue-2.6.20/nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch b/review-2.6.20/nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch similarity index 100% rename from queue-2.6.20/nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch rename to review-2.6.20/nfs-nfs_getattr-can-t-call-nfs_sync_mapping_range-for-non-regular-files.patch diff --git a/queue-2.6.20/oom-fix-prevent-oom-from-killing-a-process-with-children-sibling-unkillable.patch b/review-2.6.20/oom-fix-prevent-oom-from-killing-a-process-with-children-sibling-unkillable.patch similarity index 100% rename from queue-2.6.20/oom-fix-prevent-oom-from-killing-a-process-with-children-sibling-unkillable.patch rename to review-2.6.20/oom-fix-prevent-oom-from-killing-a-process-with-children-sibling-unkillable.patch diff --git a/queue-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch b/review-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch similarity index 100% rename from queue-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch rename to review-2.6.20/r8169-fix-a-race-between-pci-probe-and-dev_open.patch diff --git a/queue-2.6.20/series b/review-2.6.20/series similarity index 100% rename from queue-2.6.20/series rename to review-2.6.20/series diff --git a/queue-2.6.20/uml-arch_prctl-should-set-thread-fs.patch b/review-2.6.20/uml-arch_prctl-should-set-thread-fs.patch similarity index 100% rename from queue-2.6.20/uml-arch_prctl-should-set-thread-fs.patch rename to review-2.6.20/uml-arch_prctl-should-set-thread-fs.patch