From: Greg Kroah-Hartman Date: Tue, 1 Jun 2010 22:41:32 +0000 (-0700) Subject: .32 patches X-Git-Tag: v2.6.31.14~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9282e52f93601cf2e6cc8732bb4a4fb1a2c394a5;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/fix-racy-use-of-anon_inode_getfd-in-perf_event.c.patch b/queue-2.6.32/fix-racy-use-of-anon_inode_getfd-in-perf_event.c.patch new file mode 100644 index 00000000000..ab6432b8447 --- /dev/null +++ b/queue-2.6.32/fix-racy-use-of-anon_inode_getfd-in-perf_event.c.patch @@ -0,0 +1,100 @@ +From ea635c64e007061f6468ece5cc9cc62d41d4ecf2 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 26 May 2010 17:40:29 -0400 +Subject: Fix racy use of anon_inode_getfd() in perf_event.c + +From: Al Viro + +commit ea635c64e007061f6468ece5cc9cc62d41d4ecf2 upstream. + +once anon_inode_getfd() is called, you can't expect *anything* about +struct file that descriptor points to - another thread might be doing +whatever it likes with descriptor table at that point. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/perf_event.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/kernel/perf_event.c ++++ b/kernel/perf_event.c +@@ -4510,8 +4510,8 @@ SYSCALL_DEFINE5(perf_event_open, + struct perf_event_context *ctx; + struct file *event_file = NULL; + struct file *group_file = NULL; ++ int event_fd; + int fput_needed = 0; +- int fput_needed2 = 0; + int err; + + /* for future expandability... */ +@@ -4532,12 +4532,18 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + } + ++ event_fd = get_unused_fd_flags(O_RDWR); ++ if (event_fd < 0) ++ return event_fd; ++ + /* + * Get the target context (task or percpu): + */ + ctx = find_get_context(pid, cpu); +- if (IS_ERR(ctx)) +- return PTR_ERR(ctx); ++ if (IS_ERR(ctx)) { ++ err = PTR_ERR(ctx); ++ goto err_fd; ++ } + + /* + * Look up the group leader (we will attach this event to it): +@@ -4577,13 +4583,11 @@ SYSCALL_DEFINE5(perf_event_open, + if (IS_ERR(event)) + goto err_put_context; + +- err = anon_inode_getfd("[perf_event]", &perf_fops, event, 0); +- if (err < 0) +- goto err_free_put_context; +- +- event_file = fget_light(err, &fput_needed2); +- if (!event_file) ++ event_file = anon_inode_getfile("[perf_event]", &perf_fops, event, O_RDWR); ++ if (IS_ERR(event_file)) { ++ err = PTR_ERR(event_file); + goto err_free_put_context; ++ } + + if (flags & PERF_FLAG_FD_OUTPUT) { + err = perf_event_set_output(event, group_fd); +@@ -4604,19 +4608,19 @@ SYSCALL_DEFINE5(perf_event_open, + list_add_tail(&event->owner_entry, ¤t->perf_event_list); + mutex_unlock(¤t->perf_event_mutex); + +-err_fput_free_put_context: +- fput_light(event_file, fput_needed2); ++ fput_light(group_file, fput_needed); ++ fd_install(event_fd, event_file); ++ return event_fd; + ++err_fput_free_put_context: ++ fput(event_file); + err_free_put_context: +- if (err < 0) +- free_event(event); +- ++ free_event(event); + err_put_context: +- if (err < 0) +- put_ctx(ctx); +- + fput_light(group_file, fput_needed); +- ++ put_ctx(ctx); ++err_fd: ++ put_unused_fd(event_fd); + return err; + } + diff --git a/queue-2.6.32/libata-disable-atapi-an-by-default.patch b/queue-2.6.32/libata-disable-atapi-an-by-default.patch new file mode 100644 index 00000000000..6ee8acb6ea8 --- /dev/null +++ b/queue-2.6.32/libata-disable-atapi-an-by-default.patch @@ -0,0 +1,59 @@ +From e7ecd435692ca9bde9d124be30b3a26e672ea6c2 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 19 May 2010 15:38:58 +0200 +Subject: libata: disable ATAPI AN by default + +From: Tejun Heo + +commit e7ecd435692ca9bde9d124be30b3a26e672ea6c2 upstream. + +There are ATAPI devices which raise AN when hit by commands issued by +open(). This leads to infinite loop of AN -> MEDIA_CHANGE uevent -> +udev open() to check media -> AN. + +Both ACS and SerialATA standards don't define in which case ATAPI +devices are supposed to raise or not raise AN. They both list media +insertion event as a possible use case for ATAPI ANs but there is no +clear description of what constitutes such events. As such, it seems +a bit too naive to export ANs directly to userland as MEDIA_CHANGE +events without further verification (which should behave similarly to +windows as it apparently is the only thing that some hardware vendors +are testing against). + +This patch adds libata.atapi_an module parameter and disables ATAPI AN +by default for now. + +Signed-off-by: Tejun Heo +Cc: Kay Sievers +Cc: Nick Bowler +Cc: David Zeuthen +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -159,6 +159,10 @@ int libata_allow_tpm = 0; + module_param_named(allow_tpm, libata_allow_tpm, int, 0444); + MODULE_PARM_DESC(allow_tpm, "Permit the use of TPM commands (0=off [default], 1=on)"); + ++static int atapi_an; ++module_param(atapi_an, int, 0444); ++MODULE_PARM_DESC(atapi_an, "Enable ATAPI AN media presence notification (0=0ff [default], 1=on)"); ++ + MODULE_AUTHOR("Jeff Garzik"); + MODULE_DESCRIPTION("Library module for ATA devices"); + MODULE_LICENSE("GPL"); +@@ -2570,7 +2574,8 @@ int ata_dev_configure(struct ata_device + * to enable ATAPI AN to discern between PHY status + * changed notifications and ATAPI ANs. + */ +- if ((ap->flags & ATA_FLAG_AN) && ata_id_has_atapi_AN(id) && ++ if (atapi_an && ++ (ap->flags & ATA_FLAG_AN) && ata_id_has_atapi_AN(id) && + (!sata_pmp_attached(ap) || + sata_scr_read(&ap->link, SCR_NOTIFICATION, &sntf) == 0)) { + unsigned int err_mask; diff --git a/queue-2.6.32/libata-don-t-flush-dcache-on-slab-pages.patch b/queue-2.6.32/libata-don-t-flush-dcache-on-slab-pages.patch new file mode 100644 index 00000000000..c4e0a90d3c4 --- /dev/null +++ b/queue-2.6.32/libata-don-t-flush-dcache-on-slab-pages.patch @@ -0,0 +1,33 @@ +From 3842e835490cdf17013b30a788f6311bdcfd0571 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Sun, 21 Mar 2010 22:52:23 +0100 +Subject: libata: don't flush dcache on slab pages + +From: Sebastian Andrzej Siewior + +commit 3842e835490cdf17013b30a788f6311bdcfd0571 upstream. + +page_mapping() check this via VM_BUG_ON(PageSlab(page)) so we bug here +with the according debuging turned on. + +Future TODO: replace this with a flush_dcache_page_for_pio() API + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-sff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -893,7 +893,7 @@ static void ata_pio_sector(struct ata_qu + do_write); + } + +- if (!do_write) ++ if (!do_write && !PageSlab(page)) + flush_dcache_page(page); + + qc->curbytes += qc->sect_size; diff --git a/queue-2.6.32/oprofile-remove-double-ring-buffering.patch b/queue-2.6.32/oprofile-remove-double-ring-buffering.patch new file mode 100644 index 00000000000..8d275697715 --- /dev/null +++ b/queue-2.6.32/oprofile-remove-double-ring-buffering.patch @@ -0,0 +1,145 @@ +From cb6e943ccf19ab6d3189147e9d625a992e016084 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Thu, 1 Apr 2010 03:17:25 +0200 +Subject: oprofile: remove double ring buffering + +From: Andi Kleen + +commit cb6e943ccf19ab6d3189147e9d625a992e016084 upstream. + +oprofile used a double buffer scheme for its cpu event buffer +to avoid races on reading with the old locked ring buffer. + +But that is obsolete now with the new ring buffer, so simply +use a single buffer. This greatly simplifies the code and avoids +a lot of sample drops on large runs, especially with call graph. + +Based on suggestions from Steven Rostedt + +For stable kernels from v2.6.32, but not earlier. + +Signed-off-by: Andi Kleen +Cc: Steven Rostedt +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/oprofile/cpu_buffer.c | 63 ++++++++---------------------------------- + 1 file changed, 13 insertions(+), 50 deletions(-) + +--- a/drivers/oprofile/cpu_buffer.c ++++ b/drivers/oprofile/cpu_buffer.c +@@ -30,23 +30,7 @@ + + #define OP_BUFFER_FLAGS 0 + +-/* +- * Read and write access is using spin locking. Thus, writing to the +- * buffer by NMI handler (x86) could occur also during critical +- * sections when reading the buffer. To avoid this, there are 2 +- * buffers for independent read and write access. Read access is in +- * process context only, write access only in the NMI handler. If the +- * read buffer runs empty, both buffers are swapped atomically. There +- * is potentially a small window during swapping where the buffers are +- * disabled and samples could be lost. +- * +- * Using 2 buffers is a little bit overhead, but the solution is clear +- * and does not require changes in the ring buffer implementation. It +- * can be changed to a single buffer solution when the ring buffer +- * access is implemented as non-locking atomic code. +- */ +-static struct ring_buffer *op_ring_buffer_read; +-static struct ring_buffer *op_ring_buffer_write; ++static struct ring_buffer *op_ring_buffer; + DEFINE_PER_CPU(struct oprofile_cpu_buffer, cpu_buffer); + + static void wq_sync_buffer(struct work_struct *work); +@@ -69,12 +53,9 @@ void oprofile_cpu_buffer_inc_smpl_lost(v + + void free_cpu_buffers(void) + { +- if (op_ring_buffer_read) +- ring_buffer_free(op_ring_buffer_read); +- op_ring_buffer_read = NULL; +- if (op_ring_buffer_write) +- ring_buffer_free(op_ring_buffer_write); +- op_ring_buffer_write = NULL; ++ if (op_ring_buffer) ++ ring_buffer_free(op_ring_buffer); ++ op_ring_buffer = NULL; + } + + #define RB_EVENT_HDR_SIZE 4 +@@ -87,11 +68,8 @@ int alloc_cpu_buffers(void) + unsigned long byte_size = buffer_size * (sizeof(struct op_sample) + + RB_EVENT_HDR_SIZE); + +- op_ring_buffer_read = ring_buffer_alloc(byte_size, OP_BUFFER_FLAGS); +- if (!op_ring_buffer_read) +- goto fail; +- op_ring_buffer_write = ring_buffer_alloc(byte_size, OP_BUFFER_FLAGS); +- if (!op_ring_buffer_write) ++ op_ring_buffer = ring_buffer_alloc(byte_size, OP_BUFFER_FLAGS); ++ if (!op_ring_buffer) + goto fail; + + for_each_possible_cpu(i) { +@@ -163,16 +141,11 @@ struct op_sample + *op_cpu_buffer_write_reserve(struct op_entry *entry, unsigned long size) + { + entry->event = ring_buffer_lock_reserve +- (op_ring_buffer_write, sizeof(struct op_sample) + ++ (op_ring_buffer, sizeof(struct op_sample) + + size * sizeof(entry->sample->data[0])); +- if (entry->event) +- entry->sample = ring_buffer_event_data(entry->event); +- else +- entry->sample = NULL; +- +- if (!entry->sample) ++ if (!entry->event) + return NULL; +- ++ entry->sample = ring_buffer_event_data(entry->event); + entry->size = size; + entry->data = entry->sample->data; + +@@ -181,25 +154,16 @@ struct op_sample + + int op_cpu_buffer_write_commit(struct op_entry *entry) + { +- return ring_buffer_unlock_commit(op_ring_buffer_write, entry->event); ++ return ring_buffer_unlock_commit(op_ring_buffer, entry->event); + } + + struct op_sample *op_cpu_buffer_read_entry(struct op_entry *entry, int cpu) + { + struct ring_buffer_event *e; +- e = ring_buffer_consume(op_ring_buffer_read, cpu, NULL); +- if (e) +- goto event; +- if (ring_buffer_swap_cpu(op_ring_buffer_read, +- op_ring_buffer_write, +- cpu)) ++ e = ring_buffer_consume(op_ring_buffer, cpu, NULL); ++ if (!e) + return NULL; +- e = ring_buffer_consume(op_ring_buffer_read, cpu, NULL); +- if (e) +- goto event; +- return NULL; + +-event: + entry->event = e; + entry->sample = ring_buffer_event_data(e); + entry->size = (ring_buffer_event_length(e) - sizeof(struct op_sample)) +@@ -210,8 +174,7 @@ event: + + unsigned long op_cpu_buffer_entries(int cpu) + { +- return ring_buffer_entries_cpu(op_ring_buffer_read, cpu) +- + ring_buffer_entries_cpu(op_ring_buffer_write, cpu); ++ return ring_buffer_entries_cpu(op_ring_buffer, cpu); + } + + static int diff --git a/queue-2.6.32/oprofile-x86-fix-uninitialized-counter-usage-during-cpu-hotplug.patch b/queue-2.6.32/oprofile-x86-fix-uninitialized-counter-usage-during-cpu-hotplug.patch new file mode 100644 index 00000000000..ac7a22acd70 --- /dev/null +++ b/queue-2.6.32/oprofile-x86-fix-uninitialized-counter-usage-during-cpu-hotplug.patch @@ -0,0 +1,185 @@ +From 2623a1d55a6260c855e1f6d1895900b50b40a896 Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Mon, 3 May 2010 19:44:32 +0200 +Subject: oprofile/x86: fix uninitialized counter usage during cpu hotplug + +From: Robert Richter + +commit 2623a1d55a6260c855e1f6d1895900b50b40a896 upstream. + +This fixes a NULL pointer dereference that is triggered when taking a +cpu offline after oprofile was initialized, e.g.: + + $ opcontrol --init + $ opcontrol --start-daemon + $ opcontrol --shutdown + $ opcontrol --deinit + $ echo 0 > /sys/devices/system/cpu/cpu1/online + +See the crash dump below. Though the counter has been disabled the cpu +notifier is still active and trying to use already freed counter data. + +This fix is for linux-stable. To proper fix this, the hotplug code +must be rewritten. Thus I will leave a WARN_ON_ONCE() message with +this patch. + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] op_amd_stop+0x2d/0x8e +PGD 0 +Oops: 0000 [#1] SMP +last sysfs file: /sys/devices/system/cpu/cpu1/online +CPU 1 +Modules linked in: + +Pid: 0, comm: swapper Not tainted 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Anaheim/Anaheim +RIP: 0010:[] [] op_amd_stop+0x2d/0x8e +RSP: 0018:ffff880001843f28 EFLAGS: 00010006 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000200200 +RDX: ffff880001843f68 RSI: dead000000100100 RDI: 0000000000000000 +RBP: ffff880001843f48 R08: 0000000000000000 R09: ffff880001843f08 +R10: ffffffff8102c9a5 R11: ffff88000184ea80 R12: 0000000000000000 +R13: ffff88000184f6c0 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007fec6a92e6f0(0000) GS:ffff880001840000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000000000 CR3: 000000000163b000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process swapper (pid: 0, threadinfo ffff88042fcd8000, task ffff88042fcd51d0) +Stack: + ffff880001843f48 0000000000000001 ffff88042e9f7d38 ffff880001843f68 +<0> ffff880001843f58 ffffffff8132a602 ffff880001843f98 ffffffff810521b3 +<0> ffff880001843f68 ffff880001843f68 ffff880001843f88 ffff88042fcd9fd8 +Call Trace: + + [] nmi_cpu_stop+0x21/0x23 + [] generic_smp_call_function_single_interrupt+0xdf/0x11b + [] smp_call_function_single_interrupt+0x22/0x31 + [] call_function_single_interrupt+0x13/0x20 + + [] ? wake_up_process+0x10/0x12 + [] ? default_idle+0x22/0x37 + [] c1e_idle+0xdf/0xe6 + [] ? atomic_notifier_call_chain+0x13/0x15 + [] cpu_idle+0x4b/0x7e + [] start_secondary+0x1ae/0x1b2 +Code: 89 e5 41 55 49 89 fd 41 54 45 31 e4 53 31 db 48 83 ec 08 89 df e8 be f8 ff ff 48 98 48 83 3c c5 10 67 7a 81 00 74 1f 49 8b 45 08 <42> 8b 0c 20 0f 32 48 c1 e2 20 25 ff ff bf ff 48 09 d0 48 89 c2 +RIP [] op_amd_stop+0x2d/0x8e + RSP +CR2: 0000000000000000 +---[ end trace 679ac372d674b757 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 +Call Trace: + [] panic+0x9e/0x10c + [] ? up+0x34/0x39 + [] ? kmsg_dump+0x112/0x12c + [] oops_end+0x81/0x8e + [] no_context+0x1f3/0x202 + [] __bad_area_nosemaphore+0x1ba/0x1e0 + [] ? enqueue_task_fair+0x16d/0x17a + [] ? activate_task+0x42/0x53 + [] ? try_to_wake_up+0x272/0x284 + [] bad_area_nosemaphore+0xe/0x10 + [] do_page_fault+0x1c8/0x37c + [] ? enqueue_task_fair+0x16d/0x17a + [] page_fault+0x1f/0x30 + [] ? wake_up_process+0x10/0x12 + [] ? op_amd_stop+0x2d/0x8e + [] ? op_amd_stop+0x1c/0x8e + [] nmi_cpu_stop+0x21/0x23 + [] generic_smp_call_function_single_interrupt+0xdf/0x11b + [] smp_call_function_single_interrupt+0x22/0x31 + [] call_function_single_interrupt+0x13/0x20 + [] ? wake_up_process+0x10/0x12 + [] ? default_idle+0x22/0x37 + [] c1e_idle+0xdf/0xe6 + [] ? atomic_notifier_call_chain+0x13/0x15 + [] cpu_idle+0x4b/0x7e + [] start_secondary+0x1ae/0x1b2 +------------[ cut here ]------------ +WARNING: at /local/rrichter/.source/linux/arch/x86/kernel/smp.c:118 native_smp_send_reschedule+0x27/0x53() +Hardware name: Anaheim +Modules linked in: +Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 +Call Trace: + [] ? native_smp_send_reschedule+0x27/0x53 + [] warn_slowpath_common+0x77/0xa4 + [] warn_slowpath_null+0xf/0x11 + [] native_smp_send_reschedule+0x27/0x53 + [] resched_task+0x60/0x62 + [] check_preempt_curr_idle+0x10/0x12 + [] try_to_wake_up+0x1f5/0x284 + [] default_wake_function+0xd/0xf + [] pollwake+0x57/0x5a + [] ? default_wake_function+0x0/0xf + [] __wake_up_common+0x46/0x75 + [] __wake_up+0x38/0x50 + [] printk_tick+0x39/0x3b + [] update_process_times+0x3f/0x5c + [] tick_periodic+0x5d/0x69 + [] tick_handle_periodic+0x21/0x71 + [] smp_apic_timer_interrupt+0x82/0x95 + [] apic_timer_interrupt+0x13/0x20 + [] ? panic_blink_one_second+0x0/0x7b + [] ? panic+0x10a/0x10c + [] ? up+0x34/0x39 + [] ? kmsg_dump+0x112/0x12c + [] ? oops_end+0x81/0x8e + [] ? no_context+0x1f3/0x202 + [] ? __bad_area_nosemaphore+0x1ba/0x1e0 + [] ? enqueue_task_fair+0x16d/0x17a + [] ? activate_task+0x42/0x53 + [] ? try_to_wake_up+0x272/0x284 + [] ? bad_area_nosemaphore+0xe/0x10 + [] ? do_page_fault+0x1c8/0x37c + [] ? enqueue_task_fair+0x16d/0x17a + [] ? page_fault+0x1f/0x30 + [] ? wake_up_process+0x10/0x12 + [] ? op_amd_stop+0x2d/0x8e + [] ? op_amd_stop+0x1c/0x8e + [] ? nmi_cpu_stop+0x21/0x23 + [] ? generic_smp_call_function_single_interrupt+0xdf/0x11b + [] ? smp_call_function_single_interrupt+0x22/0x31 + [] ? call_function_single_interrupt+0x13/0x20 + [] ? wake_up_process+0x10/0x12 + [] ? default_idle+0x22/0x37 + [] ? c1e_idle+0xdf/0xe6 + [] ? atomic_notifier_call_chain+0x13/0x15 + [] ? cpu_idle+0x4b/0x7e + [] ? start_secondary+0x1ae/0x1b2 +---[ end trace 679ac372d674b758 ]--- + +Cc: Andi Kleen +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -95,7 +95,10 @@ static void nmi_cpu_save_registers(struc + static void nmi_cpu_start(void *dummy) + { + struct op_msrs const *msrs = &__get_cpu_var(cpu_msrs); +- model->start(msrs); ++ if (!msrs->controls) ++ WARN_ON_ONCE(1); ++ else ++ model->start(msrs); + } + + static int nmi_start(void) +@@ -107,7 +110,10 @@ static int nmi_start(void) + static void nmi_cpu_stop(void *dummy) + { + struct op_msrs const *msrs = &__get_cpu_var(cpu_msrs); +- model->stop(msrs); ++ if (!msrs->controls) ++ WARN_ON_ONCE(1); ++ else ++ model->stop(msrs); + } + + static void nmi_stop(void) diff --git a/queue-2.6.32/posix_timer-fix-error-path-in-timer_create.patch b/queue-2.6.32/posix_timer-fix-error-path-in-timer_create.patch new file mode 100644 index 00000000000..f154bbcfa8b --- /dev/null +++ b/queue-2.6.32/posix_timer-fix-error-path-in-timer_create.patch @@ -0,0 +1,53 @@ +From 45e0fffc8a7778282e6a1514a6ae3e7ae6545111 Mon Sep 17 00:00:00 2001 +From: Andrey Vagin +Date: Mon, 24 May 2010 12:15:33 -0700 +Subject: posix_timer: Fix error path in timer_create + +From: Andrey Vagin + +commit 45e0fffc8a7778282e6a1514a6ae3e7ae6545111 upstream. + +Move CLOCK_DISPATCH(which_clock, timer_create, (new_timer)) after all +posible EFAULT erros. + +*_timer_create may allocate/get resources. +(for example posix_cpu_timer_create does get_task_struct) + +[ tglx: fold the remove crappy comment patch into this ] + +Signed-off-by: Andrey Vagin +Cc: Oleg Nesterov +Cc: Pavel Emelyanov +Reviewed-by: Stanislaw Gruszka +Signed-off-by: Andrew Morton +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- a/kernel/posix-timers.c ++++ b/kernel/posix-timers.c +@@ -559,14 +559,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock, + new_timer->it_id = (timer_t) new_timer_id; + new_timer->it_clock = which_clock; + new_timer->it_overrun = -1; +- error = CLOCK_DISPATCH(which_clock, timer_create, (new_timer)); +- if (error) +- goto out; + +- /* +- * return the timer_id now. The next step is hard to +- * back out if there is an error. +- */ + if (copy_to_user(created_timer_id, + &new_timer_id, sizeof (new_timer_id))) { + error = -EFAULT; +@@ -597,6 +590,10 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock, + new_timer->sigq->info.si_tid = new_timer->it_id; + new_timer->sigq->info.si_code = SI_TIMER; + ++ error = CLOCK_DISPATCH(which_clock, timer_create, (new_timer)); ++ if (error) ++ goto out; ++ + spin_lock_irq(¤t->sighand->siglock); + new_timer->it_signal = current->signal; + list_add(&new_timer->list, ¤t->signal->posix_timers); diff --git a/queue-2.6.32/series b/queue-2.6.32/series new file mode 100644 index 00000000000..cd2b4b6ea74 --- /dev/null +++ b/queue-2.6.32/series @@ -0,0 +1,6 @@ +oprofile-x86-fix-uninitialized-counter-usage-during-cpu-hotplug.patch +oprofile-remove-double-ring-buffering.patch +fix-racy-use-of-anon_inode_getfd-in-perf_event.c.patch +posix_timer-fix-error-path-in-timer_create.patch +libata-disable-atapi-an-by-default.patch +libata-don-t-flush-dcache-on-slab-pages.patch