From: Greg Kroah-Hartman Date: Wed, 29 Apr 2009 23:51:18 +0000 (-0700) Subject: start 2.6.27.22 review cycle X-Git-Tag: v2.6.27.22~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9363d25a4b2311bdc9bbdd67c322cd46a2475d2;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.27.22 review cycle --- diff --git a/queue-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch b/review-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch similarity index 100% rename from queue-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch rename to review-2.6.27/0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch diff --git a/queue-2.6.27/0008-USB-EHCI-add-software-retry-for-transaction-errors.patch b/review-2.6.27/0008-USB-EHCI-add-software-retry-for-transaction-errors.patch similarity index 100% rename from queue-2.6.27/0008-USB-EHCI-add-software-retry-for-transaction-errors.patch rename to review-2.6.27/0008-USB-EHCI-add-software-retry-for-transaction-errors.patch diff --git a/queue-2.6.27/0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch b/review-2.6.27/0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch similarity index 100% rename from queue-2.6.27/0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch rename to review-2.6.27/0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch diff --git a/queue-2.6.27/0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch b/review-2.6.27/0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch similarity index 100% rename from queue-2.6.27/0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch rename to review-2.6.27/0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch diff --git a/queue-2.6.27/0011-USB-gadget-fix-rndis-regression.patch b/review-2.6.27/0011-USB-gadget-fix-rndis-regression.patch similarity index 100% rename from queue-2.6.27/0011-USB-gadget-fix-rndis-regression.patch rename to review-2.6.27/0011-USB-gadget-fix-rndis-regression.patch diff --git a/queue-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch b/review-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch similarity index 100% rename from queue-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch rename to review-2.6.27/0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch diff --git a/queue-2.6.27/0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch b/review-2.6.27/0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch similarity index 100% rename from queue-2.6.27/0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch rename to review-2.6.27/0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch diff --git a/queue-2.6.27/0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch b/review-2.6.27/0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch similarity index 100% rename from queue-2.6.27/0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch rename to review-2.6.27/0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch diff --git a/queue-2.6.27/0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch b/review-2.6.27/0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch similarity index 100% rename from queue-2.6.27/0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch rename to review-2.6.27/0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch diff --git a/queue-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch b/review-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch similarity index 100% rename from queue-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch rename to review-2.6.27/0031-mm-do_xip_mapping_read-fix-length-calculation.patch diff --git a/queue-2.6.27/0032-Add-a-missing-unlock_kernel-in-raw_open.patch b/review-2.6.27/0032-Add-a-missing-unlock_kernel-in-raw_open.patch similarity index 100% rename from queue-2.6.27/0032-Add-a-missing-unlock_kernel-in-raw_open.patch rename to review-2.6.27/0032-Add-a-missing-unlock_kernel-in-raw_open.patch diff --git a/queue-2.6.27/0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch b/review-2.6.27/0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch similarity index 100% rename from queue-2.6.27/0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch rename to review-2.6.27/0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch diff --git a/queue-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch b/review-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch similarity index 100% rename from queue-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch rename to review-2.6.27/0034-vfs-skip-I_CLEAR-state-inodes.patch diff --git a/queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch b/review-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch similarity index 100% rename from queue-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch rename to review-2.6.27/0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch diff --git a/queue-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch b/review-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch similarity index 100% rename from queue-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch rename to review-2.6.27/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch diff --git a/queue-2.6.27/0044-net-netrom-Fix-socket-locking.patch b/review-2.6.27/0044-net-netrom-Fix-socket-locking.patch similarity index 100% rename from queue-2.6.27/0044-net-netrom-Fix-socket-locking.patch rename to review-2.6.27/0044-net-netrom-Fix-socket-locking.patch diff --git a/queue-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch b/review-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch similarity index 100% rename from queue-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch rename to review-2.6.27/0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch diff --git a/queue-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch b/review-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch similarity index 100% rename from queue-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch rename to review-2.6.27/0049-splice-fix-deadlock-in-splicing-to-file.patch diff --git a/queue-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch b/review-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch similarity index 100% rename from queue-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch rename to review-2.6.27/0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch diff --git a/queue-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch b/review-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch similarity index 100% rename from queue-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch rename to review-2.6.27/0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch diff --git a/queue-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch b/review-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch similarity index 100% rename from queue-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch rename to review-2.6.27/0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch diff --git a/queue-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch b/review-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch similarity index 100% rename from queue-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch rename to review-2.6.27/0060-sched-do-not-count-frozen-tasks-toward-load.patch diff --git a/queue-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch b/review-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch similarity index 100% rename from queue-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch rename to review-2.6.27/0063-add-some-long-missing-capabilities-to-fs_mask.patch diff --git a/queue-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch b/review-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch similarity index 100% rename from queue-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch rename to review-2.6.27/0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch diff --git a/queue-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch b/review-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch similarity index 100% rename from queue-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch rename to review-2.6.27/0069-hpt366-fix-HPT370-DMA-timeouts.patch diff --git a/queue-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch b/review-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch similarity index 100% rename from queue-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch rename to review-2.6.27/0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch diff --git a/queue-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch b/review-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch similarity index 100% rename from queue-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch rename to review-2.6.27/0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch diff --git a/queue-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch b/review-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch similarity index 100% rename from queue-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch rename to review-2.6.27/0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch diff --git a/queue-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch b/review-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch similarity index 100% rename from queue-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch rename to review-2.6.27/0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch diff --git a/queue-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch b/review-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch similarity index 100% rename from queue-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch rename to review-2.6.27/0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch diff --git a/queue-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch b/review-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch similarity index 100% rename from queue-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch rename to review-2.6.27/0093-agp-zero-pages-before-sending-to-userspace.patch diff --git a/queue-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch b/review-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch similarity index 100% rename from queue-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch rename to review-2.6.27/0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch diff --git a/queue-2.6.27/acpi-ec-add-some-basic-check-for-ecdt-data.patch b/review-2.6.27/acpi-ec-add-some-basic-check-for-ecdt-data.patch similarity index 100% rename from queue-2.6.27/acpi-ec-add-some-basic-check-for-ecdt-data.patch rename to review-2.6.27/acpi-ec-add-some-basic-check-for-ecdt-data.patch diff --git a/queue-2.6.27/acpi-ec-fix-compilation-warning.patch b/review-2.6.27/acpi-ec-fix-compilation-warning.patch similarity index 100% rename from queue-2.6.27/acpi-ec-fix-compilation-warning.patch rename to review-2.6.27/acpi-ec-fix-compilation-warning.patch diff --git a/queue-2.6.27/ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch b/review-2.6.27/ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch similarity index 100% rename from queue-2.6.27/ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch rename to review-2.6.27/ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch diff --git a/queue-2.6.27/ath9k-implement-io-serialization.patch b/review-2.6.27/ath9k-implement-io-serialization.patch similarity index 100% rename from queue-2.6.27/ath9k-implement-io-serialization.patch rename to review-2.6.27/ath9k-implement-io-serialization.patch diff --git a/queue-2.6.27/b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch b/review-2.6.27/b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch similarity index 100% rename from queue-2.6.27/b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch rename to review-2.6.27/b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch diff --git a/queue-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch b/review-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch similarity index 100% rename from queue-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch rename to review-2.6.27/bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch diff --git a/queue-2.6.27/block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch b/review-2.6.27/block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch similarity index 100% rename from queue-2.6.27/block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch rename to review-2.6.27/block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch diff --git a/queue-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch b/review-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch similarity index 100% rename from queue-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch rename to review-2.6.27/bonding-fix-updating-of-speed-duplex-changes.patch diff --git a/queue-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch b/review-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch similarity index 100% rename from queue-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch rename to review-2.6.27/bridge-bad-error-handling-when-adding-invalid-ether-address.patch diff --git a/queue-2.6.27/crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch b/review-2.6.27/crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch similarity index 100% rename from queue-2.6.27/crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch rename to review-2.6.27/crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch diff --git a/queue-2.6.27/exit_notify-kill-the-wrong-capable-check.patch b/review-2.6.27/exit_notify-kill-the-wrong-capable-check.patch similarity index 100% rename from queue-2.6.27/exit_notify-kill-the-wrong-capable-check.patch rename to review-2.6.27/exit_notify-kill-the-wrong-capable-check.patch diff --git a/queue-2.6.27/fix-ptrace-slowness.patch b/review-2.6.27/fix-ptrace-slowness.patch similarity index 100% rename from queue-2.6.27/fix-ptrace-slowness.patch rename to review-2.6.27/fix-ptrace-slowness.patch diff --git a/queue-2.6.27/fs-core-fixes.patch b/review-2.6.27/fs-core-fixes.patch similarity index 100% rename from queue-2.6.27/fs-core-fixes.patch rename to review-2.6.27/fs-core-fixes.patch diff --git a/queue-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch b/review-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch similarity index 100% rename from queue-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch rename to review-2.6.27/ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch diff --git a/queue-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch b/review-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch similarity index 100% rename from queue-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch rename to review-2.6.27/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch diff --git a/queue-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch b/review-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch similarity index 100% rename from queue-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch rename to review-2.6.27/kprobes-fix-locking-imbalance-in-kretprobes.patch diff --git a/review-2.6.27/mbox b/review-2.6.27/mbox new file mode 100644 index 00000000000..b3797aba9e3 --- /dev/null +++ b/review-2.6.27/mbox @@ -0,0 +1,5963 @@ +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220922.910328940@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + David Brownell , + Chris Wright +Subject: [patch 01/58] USB: EHCI: add software retry for transaction errors +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0008-USB-EHCI-add-software-retry-for-transaction-errors.patch +Content-Length: 3248 +Lines: 99 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +upstream commit: a2c2706e1043c17139c2dafd171c4a5cf008ef7e + +This patch (as1204) adds a software retry mechanism to ehci-hcd. It +gets invoked when the driver encounters transaction errors on an +asynchronous endpoint. On many systems, hardware deficiencies cause +such errors to occur if one device is unplugged while the host is +communicating with another device. With the patch, the failed +transactions are retried and generally succeed the second or third +time through. + +This is based on code originally written by Koichiro Saito. + +Signed-off-by: Alan Stern +Tested by: Koichiro Saito +CC: David Brownell +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/host/ehci-q.c | 32 ++++++++++++++++++++++++++++++++ + drivers/usb/host/ehci.h | 3 +++ + 2 files changed, 35 insertions(+) + +--- a/drivers/usb/host/ehci.h ++++ b/drivers/usb/host/ehci.h +@@ -500,6 +500,9 @@ struct ehci_qh { + #define QH_STATE_UNLINK_WAIT 4 /* LINKED and on reclaim q */ + #define QH_STATE_COMPLETING 5 /* don't touch token.HALT */ + ++ u8 xacterrs; /* XactErr retry counter */ ++#define QH_XACTERR_MAX 32 /* XactErr retry limit */ ++ + /* periodic schedule info */ + u8 usecs; /* intr bandwidth */ + u8 gap_uf; /* uframes split/csplit gap */ +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -333,12 +333,40 @@ qh_completions (struct ehci_hcd *ehci, s + token = hc32_to_cpu(ehci, qtd->hw_token); + + /* always clean up qtds the hc de-activated */ ++ retry_xacterr: + if ((token & QTD_STS_ACTIVE) == 0) { + + /* on STALL, error, and short reads this urb must + * complete and all its qtds must be recycled. + */ + if ((token & QTD_STS_HALT) != 0) { ++ ++ /* retry transaction errors until we ++ * reach the software xacterr limit ++ */ ++ if ((token & QTD_STS_XACT) && ++ QTD_CERR(token) == 0 && ++ --qh->xacterrs > 0 && ++ !urb->unlinked) { ++ ehci_dbg(ehci, ++ "detected XactErr len %d/%d retry %d\n", ++ qtd->length - QTD_LENGTH(token), qtd->length, ++ QH_XACTERR_MAX - qh->xacterrs); ++ ++ /* reset the token in the qtd and the ++ * qh overlay (which still contains ++ * the qtd) so that we pick up from ++ * where we left off ++ */ ++ token &= ~QTD_STS_HALT; ++ token |= QTD_STS_ACTIVE | ++ (EHCI_TUNE_CERR << 10); ++ qtd->hw_token = cpu_to_hc32(ehci, ++ token); ++ wmb(); ++ qh->hw_token = cpu_to_hc32(ehci, token); ++ goto retry_xacterr; ++ } + stopped = 1; + + /* magic dummy for some short reads; qh won't advance. +@@ -421,6 +449,9 @@ halt: + /* remove qtd; it's recycled after possible urb completion */ + list_del (&qtd->qtd_list); + last = qtd; ++ ++ /* reinit the xacterr counter for the next qtd */ ++ qh->xacterrs = QH_XACTERR_MAX; + } + + /* last urb's completion might still need calling */ +@@ -862,6 +893,7 @@ static void qh_link_async (struct ehci_h + head->qh_next.qh = qh; + head->hw_next = dma; + ++ qh->xacterrs = QH_XACTERR_MAX; + qh->qh_state = QH_STATE_LINKED; + /* qtd completions reported later by interrupt */ + } + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.070621183@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Boaz Harrosh , + Matthieu CASTET , + James Bottomley , + Matthew Dharm , + Chris Wright +Subject: [patch 02/58] USB: fix USB_STORAGE_CYPRESS_ATACB +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch +Content-Length: 2743 +Lines: 70 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Boaz Harrosh + +upstream commit: 1f4159c1620f74377e26d8a569d10ca5907ef475 + +commit 64a87b24: [SCSI] Let scsi_cmnd->cmnd use request->cmd buffer +changed the scsi_eh_prep_cmnd logic by making it clear +the ->cmnd buffer. But the sat to cypress atacb translation supposed +the ->cmnd buffer wasn't modified. + +This patch makes it set the ->cmnd buffer after scsi_eh_prep_cmnd call. +The problem and a fix was reported by Matthieu CASTET + +It also removes all the hackery fiddling of scsi_cmnd and scsi_eh_save by +requesting from scsi_eh_prep_cmnd to prepare a read into ->sense_buffer, +which is much more suitable a buffer for HW transfers, then after the command +execution the regs read is copied into regs buffer before actual preparation +of sense_buffer. + +Also fix an alien comment character to my utf-8 editor. + +Signed-off-by: Boaz Harrosh +Signed-off-by: Matthieu CASTET +Cc: stable +Cc: James Bottomley +Cc: Matthew Dharm +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/storage/cypress_atacb.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/usb/storage/cypress_atacb.c ++++ b/drivers/usb/storage/cypress_atacb.c +@@ -133,19 +133,18 @@ void cypress_atacb_passthrough(struct sc + + /* build the command for + * reading the ATA registers */ +- scsi_eh_prep_cmnd(srb, &ses, NULL, 0, 0); +- srb->sdb.length = sizeof(regs); +- sg_init_one(&ses.sense_sgl, regs, srb->sdb.length); +- srb->sdb.table.sgl = &ses.sense_sgl; +- srb->sc_data_direction = DMA_FROM_DEVICE; +- srb->sdb.table.nents = 1; ++ scsi_eh_prep_cmnd(srb, &ses, NULL, 0, sizeof(regs)); ++ + /* we use the same command as before, but we set + * the read taskfile bit, for not executing atacb command, + * but reading register selected in srb->cmnd[4] + */ ++ srb->cmd_len = 16; ++ srb->cmnd = ses.cmnd; + srb->cmnd[2] = 1; + + usb_stor_transparent_scsi_command(srb, us); ++ memcpy(regs, srb->sense_buffer, sizeof(regs)); + tmp_result = srb->result; + scsi_eh_restore_cmnd(srb, &ses); + /* we fail to get registers, report invalid command */ +@@ -162,8 +161,8 @@ void cypress_atacb_passthrough(struct sc + + /* XXX we should generate sk, asc, ascq from status and error + * regs +- * (see 11.1 Error translation ­ ATA device error to SCSI error map) +- * and ata_to_sense_error from libata. ++ * (see 11.1 Error translation ATA device error to SCSI error ++ * map, and ata_to_sense_error from libata.) + */ + + /* Sense data is current and format is descriptor. */ + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.226388330@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + Chris Wright +Subject: [patch 03/58] USB: usb-storage: increase max_sectors for tape drives +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch +Content-Length: 1421 +Lines: 37 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +upstream commit: 5c16034d73da2c1b663aa25dedadbc533b3d811c + +This patch (as1203) increases the max_sector limit for USB tape +drives. By default usb-storage sets max_sectors to 240 (i.e., 120 KB) +for all devices. But tape drives need a higher limit, since tapes can +and do have very large block sizes. Without the ability to transfer +an entire large block in a single command, such tapes can't be used. + +This fixes Bugzilla #12207. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Phil Mitchell +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/storage/scsiglue.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -135,6 +135,12 @@ static int slave_configure(struct scsi_d + if (sdev->request_queue->max_sectors > max_sectors) + blk_queue_max_sectors(sdev->request_queue, + max_sectors); ++ } else if (sdev->type == TYPE_TAPE) { ++ /* Tapes need much higher max_sector limits, so just ++ * raise it to the maximum possible (4 GB / 512) and ++ * let the queue segment size sort out the real limit. ++ */ ++ blk_queue_max_sectors(sdev->request_queue, 0x7FFFFF); + } + + /* We can't put these settings in slave_alloc() because that gets + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.354602106@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Brownell , + Chris Wright +Subject: [patch 04/58] USB: gadget: fix rndis regression +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0011-USB-gadget-fix-rndis-regression.patch +Content-Length: 1382 +Lines: 37 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: David Brownell + +upstream commit: 090b90118207e786d2990310d063fda5d52cce6e + +Restore some code that was wrongly dropped from the RNDIS +driver, and caused interop problems observed with OpenMoko. + +The issue is with hardware which needs help conforming to part +of the USB 2.0 spec (section 8.5.3.2); some can automagically +send a ZLP in response to an unexpected IN, but not all chips +will do that. We don't need to check the packet length ourselves +the way earlier code did, since the UDC must already check it. +But we do need to tell the UDC when it must force a short packet +termination of the data stage. + +(Based on a patch from Aric D. Blumer ) + +Signed-off-by: David Brownell +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/gadget/f_rndis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/f_rndis.c ++++ b/drivers/usb/gadget/f_rndis.c +@@ -437,7 +437,7 @@ invalid: + DBG(cdev, "rndis req%02x.%02x v%04x i%04x l%d\n", + ctrl->bRequestType, ctrl->bRequest, + w_value, w_index, w_length); +- req->zero = 0; ++ req->zero = (value < w_length); + req->length = value; + value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC); + if (value < 0) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.509152271@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jeff Layton , + Steve French , + Chris Wright +Subject: [patch 05/58] cifs: fix buffer format byte on NT Rename/hardlink +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch +Content-Length: 1262 +Lines: 36 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jeff Layton + +upstream commit: fcc7c09d94be7b75c9ea2beb22d0fae191c6b4b9 + +Discovered at Connnectathon 2009... + +The buffer format byte and the pad are transposed in NT_RENAME calls +(which are used to set hardlinks). Most servers seem to ignore this +fact, but NetApp filers throw back an error due to this problem. This +patch fixes it. + +CC: Stable +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -2348,8 +2348,10 @@ winCreateHardLinkRetry: + PATH_MAX, nls_codepage, remap); + name_len++; /* trailing null */ + name_len *= 2; +- pSMB->OldFileName[name_len] = 0; /* pad */ +- pSMB->OldFileName[name_len + 1] = 0x04; ++ ++ /* protocol specifies ASCII buffer format (0x04) for unicode */ ++ pSMB->OldFileName[name_len] = 0x04; ++ pSMB->OldFileName[name_len + 1] = 0x00; /* pad */ + name_len2 = + cifsConvertToUCS((__le16 *)&pSMB->OldFileName[name_len + 2], + toName, PATH_MAX, nls_codepage, remap); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.643128666@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Lorenzo Nava , + Michael Buesch , + "John W. Linville" , + Chris Wright +Subject: [patch 06/58] b43: fix b43_plcp_get_bitrate_idx_ofdm return type +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch +Content-Length: 1130 +Lines: 31 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Lorenzo Nava + +upstream commit: a3c0b87c4f21911fb7185902dd13f0e3cd7f33f7 + +This patch fixes the return type of b43_plcp_get_bitrate_idx_ofdm. If +the plcp contains an error, the function return value is 255 instead +of -1, and the packet was not dropped. This causes a warning in +__ieee80211_rx function because rate idx is out of range. + +Cc: stable@kernel.org +Signed-off-by: Lorenzo Nava +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/b43/xmit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/xmit.c ++++ b/drivers/net/wireless/b43/xmit.c +@@ -51,7 +51,7 @@ static int b43_plcp_get_bitrate_idx_cck( + } + + /* Extract the bitrate index out of an OFDM PLCP header. */ +-static u8 b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy) ++static int b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy) + { + int base = aphy ? 0 : 4; + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009 +Message-Id: <20090429220923.770520966@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sridhar Vinay , + Shirish Pargaonkar , + Steve French , + Chris Wright +Subject: [patch 07/58] CIFS: Fix memory overwrite when saving nativeFileSystem field during mount +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch +Content-Length: 1454 +Lines: 42 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Steve French + +upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b + +CIFS can allocate a few bytes to little for the nativeFileSystem field +during tree connect response processing during mount. This can result +in a "Redzone overwritten" message to be logged. + +Signed-off-by: Sridhar Vinay +Acked-by: Shirish Pargaonkar +CC: Stable +Signed-off-by: Steve French +[chrisw: minor backport to CHANGES file] +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/CHANGES | 3 +++ + fs/cifs/connect.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/CHANGES ++++ b/fs/cifs/CHANGES +@@ -1,4 +1,7 @@ + Fix oops in cifs_dfs_ref.c when prefixpath is not reachable when using DFS. ++Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too ++little memory for the "nativeFileSystem" field returned by the server ++during mount). + + Version 1.54 + ------------ +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3549,7 +3549,7 @@ CIFSTCon(unsigned int xid, struct cifsSe + BCC(smb_buffer_response)) { + kfree(tcon->nativeFileSystem); + tcon->nativeFileSystem = +- kzalloc(length + 2, GFP_KERNEL); ++ kzalloc(2*(length + 1), GFP_KERNEL); + if (tcon->nativeFileSystem) + cifs_strfromUCS_le( + tcon->nativeFileSystem, + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220923.917712366@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dan Carpenter , + Jonathan Corbet , + Chris Wright +Subject: [patch 08/58] Add a missing unlock_kernel() in raw_open() +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0032-Add-a-missing-unlock_kernel-in-raw_open.patch +Content-Length: 553 +Lines: 24 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Dan Carpenter + +upstream commit: 996ff68d8b358885c1de82a45517c607999947c7 + +Cc: stable@kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Jonathan Corbet +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/raw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/raw.c ++++ b/drivers/char/raw.c +@@ -90,6 +90,7 @@ out1: + blkdev_put(bdev); + out: + mutex_unlock(&raw_mutex); ++ unlock_kernel(); + return err; + } + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220924.051987610@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Venkatesh Pallipadi , + Suresh Siddha , + Jesse Barnes , + Dave Airlie , + Ingo Molnar , + Chris Wright +Subject: [patch 09/58] x86, PAT, PCI: Change vma prot in pci_mmap to reflect inherited prot +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch +Content-Length: 1447 +Lines: 43 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Pallipadi, Venkatesh + +upstream commit: 9cdec049389ce2c324fd1ec508a71528a27d4a07 + +While looking at the issue in the thread: + + http://marc.info/?l=dri-devel&m=123606627824556&w=2 + +noticed a bug in pci PAT code and memory type setting. + +PCI mmap code did not set the proper protection in vma, when it +inherited protection in reserve_memtype. This bug only affects +the case where there exists a WC mapping before X does an mmap +with /proc or /sys pci interface. This will cause X userlevel +mmap from /proc or /sysfs to fail on fork. + +Reported-by: Kevin Winchester +Signed-off-by: Venkatesh Pallipadi +Signed-off-by: Suresh Siddha +Cc: Jesse Barnes +Cc: Dave Airlie +Cc: +LKML-Reference: <20090323190720.GA16831@linux-os.sc.intel.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/pci/i386.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/pci/i386.c ++++ b/arch/x86/pci/i386.c +@@ -326,6 +326,9 @@ int pci_mmap_page_range(struct pci_dev * + return -EINVAL; + } + flags = new_flags; ++ vma->vm_page_prot = __pgprot( ++ (pgprot_val(vma->vm_page_prot) & ~_PAGE_CACHE_MASK) | ++ flags); + } + + if (((vma->vm_pgoff < max_low_pfn_mapped) || + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220924.195548317@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:09 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Andreas Herrmann , + trenn@suse.de, + Yinghai Lu , + Ingo Molnar , + Chris Wright +Subject: [patch 10/58] x86: mtrr: dont modify RdDram/WrDram bits of fixed MTRRs +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch +Content-Length: 6114 +Lines: 163 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Andreas Herrmann + +upstream commit: 3ff42da5048649503e343a32be37b14a6a4e8aaf + +Impact: bug fix + BIOS workaround + +BIOS is expected to clear the SYSCFG[MtrrFixDramModEn] on AMD CPUs +after fixed MTRRs are configured. + +Some BIOSes do not clear SYSCFG[MtrrFixDramModEn] on BP (and on APs). + +This can lead to obfuscation in Linux when this bit is not cleared on +BP but cleared on APs. A consequence of this is that the saved +fixed-MTRR state (from BP) differs from the fixed-MTRRs of APs -- +because RdDram/WrDram bits are read as zero when +SYSCFG[MtrrFixDramModEn] is cleared -- and Linux tries to sync +fixed-MTRR state from BP to AP. This implies that Linux sets +SYSCFG[MtrrFixDramEn] and activates those bits. + +More important is that (some) systems change these bits in SMM when +ACPI is enabled. Hence it is racy if Linux modifies RdMem/WrMem bits, +too. + +(1) The patch modifies an old fix from Bernhard Kaindl to get + suspend/resume working on some Acer Laptops. Bernhard's patch + tried to sync RdMem/WrMem bits of fixed MTRR registers and that + helped on those old Laptops. (Don't ask me why -- can't test it + myself). But this old problem was not the motivation for the + patch. (See http://lkml.org/lkml/2007/4/3/110) + +(2) The more important effect is to fix issues on some more current systems. + + On those systems Linux panics or just freezes, see + + http://bugzilla.kernel.org/show_bug.cgi?id=11541 + (and also duplicates of this bug: + http://bugzilla.kernel.org/show_bug.cgi?id=11737 + http://bugzilla.kernel.org/show_bug.cgi?id=11714) + + The affected systems boot only using acpi=ht, acpi=off or + when the kernel is built with CONFIG_MTRR=n. + + The acpi options prevent full enablement of ACPI. Obviously when + ACPI is enabled the BIOS/SMM modfies RdMem/WrMem bits. When + CONFIG_MTRR=y Linux also accesses and modifies those bits when it + needs to sync fixed-MTRRs across cores (Bernhard's fix, see (1)). + How do you synchronize that? You can't. As a consequence Linux + shouldn't touch those bits at all (Rationale are AMD's BKDGs which + recommend to clear the bit that makes RdMem/WrMem accessible). + This is the purpose of this patch. And (so far) this suffices to + fix (1) and (2). + +I suggest not to touch RdDram/WrDram bits of fixed-MTRRs and +SYSCFG[MtrrFixDramEn] and to clear SYSCFG[MtrrFixDramModEn] as +suggested by AMD K8, and AMD family 10h/11h BKDGs. +BIOS is expected to do this anyway. This should avoid that +Linux and SMM tread on each other's toes ... + +Signed-off-by: Andreas Herrmann +Cc: trenn@suse.de +Cc: Yinghai Lu +LKML-Reference: <20090312163937.GH20716@alberich.amd.com> +Cc: +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mtrr/generic.c | 51 +++++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 21 deletions(-) + +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -45,6 +45,32 @@ u64 mtrr_tom2; + static int mtrr_show; + module_param_named(show, mtrr_show, bool, 0); + ++/** ++ * BIOS is expected to clear MtrrFixDramModEn bit, see for example ++ * "BIOS and Kernel Developer's Guide for the AMD Athlon 64 and AMD ++ * Opteron Processors" (26094 Rev. 3.30 February 2006), section ++ * "13.2.1.2 SYSCFG Register": "The MtrrFixDramModEn bit should be set ++ * to 1 during BIOS initalization of the fixed MTRRs, then cleared to ++ * 0 for operation." ++ */ ++static inline void k8_check_syscfg_dram_mod_en(void) ++{ ++ u32 lo, hi; ++ ++ if (!((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && ++ (boot_cpu_data.x86 >= 0x0f))) ++ return; ++ ++ rdmsr(MSR_K8_SYSCFG, lo, hi); ++ if (lo & K8_MTRRFIXRANGE_DRAM_MODIFY) { ++ printk(KERN_ERR "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]" ++ " not cleared by BIOS, clearing this bit\n", ++ smp_processor_id()); ++ lo &= ~K8_MTRRFIXRANGE_DRAM_MODIFY; ++ mtrr_wrmsr(MSR_K8_SYSCFG, lo, hi); ++ } ++} ++ + /* + * Returns the effective MTRR type for the region + * Error returns: +@@ -178,6 +204,8 @@ get_fixed_ranges(mtrr_type * frs) + unsigned int *p = (unsigned int *) frs; + int i; + ++ k8_check_syscfg_dram_mod_en(); ++ + rdmsr(MTRRfix64K_00000_MSR, p[0], p[1]); + + for (i = 0; i < 2; i++) +@@ -312,27 +340,10 @@ void mtrr_wrmsr(unsigned msr, unsigned a + } + + /** +- * Enable and allow read/write of extended fixed-range MTRR bits on K8 CPUs +- * see AMD publication no. 24593, chapter 3.2.1 for more information +- */ +-static inline void k8_enable_fixed_iorrs(void) +-{ +- unsigned lo, hi; +- +- rdmsr(MSR_K8_SYSCFG, lo, hi); +- mtrr_wrmsr(MSR_K8_SYSCFG, lo +- | K8_MTRRFIXRANGE_DRAM_ENABLE +- | K8_MTRRFIXRANGE_DRAM_MODIFY, hi); +-} +- +-/** + * set_fixed_range - checks & updates a fixed-range MTRR if it differs from the value it should have + * @msr: MSR address of the MTTR which should be checked and updated + * @changed: pointer which indicates whether the MTRR needed to be changed + * @msrwords: pointer to the MSR values which the MSR should have +- * +- * If K8 extentions are wanted, update the K8 SYSCFG MSR also. +- * See AMD publication no. 24593, chapter 7.8.1, page 233 for more information. + */ + static void set_fixed_range(int msr, bool *changed, unsigned int *msrwords) + { +@@ -341,10 +352,6 @@ static void set_fixed_range(int msr, boo + rdmsr(msr, lo, hi); + + if (lo != msrwords[0] || hi != msrwords[1]) { +- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD && +- (boot_cpu_data.x86 >= 0x0f && boot_cpu_data.x86 <= 0x11) && +- ((msrwords[0] | msrwords[1]) & K8_MTRR_RDMEM_WRMEM_MASK)) +- k8_enable_fixed_iorrs(); + mtrr_wrmsr(msr, msrwords[0], msrwords[1]); + *changed = true; + } +@@ -428,6 +435,8 @@ static int set_fixed_ranges(mtrr_type * + bool changed = false; + int block=-1, range; + ++ k8_check_syscfg_dram_mod_en(); ++ + while (fixed_range_blocks[++block].ranges) + for (range=0; range < fixed_range_blocks[block].ranges; range++) + set_fixed_range(fixed_range_blocks[block].base_msr + range, + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220924.343650646@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:10 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tilman Schmidt , + "David S. Miller" +Subject: [patch 11/58] bas_gigaset: correctly allocate USB interrupt transfer buffer +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch +Content-Length: 2616 +Lines: 78 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Tilman Schmidt + +[ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ] + +Every USB transfer buffer has to be allocated individually by kmalloc. + +Impact: bugfix, no functional change + +Signed-off-by: Tilman Schmidt +Tested-by: Kolja Waschk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/bas-gigaset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -46,6 +46,9 @@ MODULE_PARM_DESC(cidmode, "Call-ID mode" + /* length limit according to Siemens 3070usb-protokoll.doc ch. 2.1 */ + #define IF_WRITEBUF 264 + ++/* interrupt pipe message size according to ibid. ch. 2.2 */ ++#define IP_MSGSIZE 3 ++ + /* Values for the Gigaset 307x */ + #define USB_GIGA_VENDOR_ID 0x0681 + #define USB_3070_PRODUCT_ID 0x0001 +@@ -110,7 +113,7 @@ struct bas_cardstate { + unsigned char *rcvbuf; /* AT reply receive buffer */ + + struct urb *urb_int_in; /* URB for interrupt pipe */ +- unsigned char int_in_buf[3]; ++ unsigned char *int_in_buf; + + spinlock_t lock; /* locks all following */ + int basstate; /* bitmap (BS_*) */ +@@ -657,7 +660,7 @@ static void read_int_callback(struct urb + } + + /* drop incomplete packets even if the missing bytes wouldn't matter */ +- if (unlikely(urb->actual_length < 3)) { ++ if (unlikely(urb->actual_length < IP_MSGSIZE)) { + dev_warn(cs->dev, "incomplete interrupt packet (%d bytes)\n", + urb->actual_length); + goto resubmit; +@@ -2127,6 +2130,7 @@ static void gigaset_reinitbcshw(struct b + static void gigaset_freecshw(struct cardstate *cs) + { + /* timers, URBs and rcvbuf are disposed of in disconnect */ ++ kfree(cs->hw.bas->int_in_buf); + kfree(cs->hw.bas); + cs->hw.bas = NULL; + } +@@ -2232,6 +2236,12 @@ static int gigaset_probe(struct usb_inte + } + hostif = interface->cur_altsetting; + } ++ ucs->int_in_buf = kmalloc(IP_MSGSIZE, GFP_KERNEL); ++ if (!ucs->int_in_buf) { ++ kfree(ucs); ++ pr_err("out of memory\n"); ++ return 0; ++ } + + /* Reject application specific interfaces + */ +@@ -2290,7 +2300,7 @@ static int gigaset_probe(struct usb_inte + usb_fill_int_urb(ucs->urb_int_in, udev, + usb_rcvintpipe(udev, + (endpoint->bEndpointAddress) & 0x0f), +- ucs->int_in_buf, 3, read_int_callback, cs, ++ ucs->int_in_buf, IP_MSGSIZE, read_int_callback, cs, + endpoint->bInterval); + if ((rc = usb_submit_urb(ucs->urb_int_in, GFP_KERNEL)) != 0) { + dev_err(cs->dev, "could not submit interrupt URB: %s\n", + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220924.494895991@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:11 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jay Vosburgh , + "David S. Miller" +Subject: [patch 12/58] bonding: Fix updating of speed/duplex changes +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=bonding-fix-updating-of-speed-duplex-changes.patch +Content-Length: 2305 +Lines: 79 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jay Vosburgh + +[ Upstream commit 17d04500e2528217de5fe967599f98ee84348a9c ] + + This patch corrects an omission from the following commit: + +commit f0c76d61779b153dbfb955db3f144c62d02173c2 +Author: Jay Vosburgh +Date: Wed Jul 2 18:21:58 2008 -0700 + + bonding: refactor mii monitor + + The un-refactored code checked the link speed and duplex of +every slave on every pass; the refactored code did not do so. + + The 802.3ad and balance-alb/tlb modes utilize the speed and +duplex information, and require it to be kept up to date. This patch +adds a notifier check to perform the appropriate updating when the slave +device speed changes. + +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++++----- + drivers/net/bonding/bonding.h | 6 ++++++ + 2 files changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/net/bonding/bonding.h ++++ b/drivers/net/bonding/bonding.h +@@ -248,6 +248,12 @@ static inline struct bonding *bond_get_b + return (struct bonding *)slave->dev->master->priv; + } + ++static inline bool bond_is_lb(const struct bonding *bond) ++{ ++ return bond->params.mode == BOND_MODE_TLB ++ || bond->params.mode == BOND_MODE_ALB; ++} ++ + #define BOND_FOM_NONE 0 + #define BOND_FOM_ACTIVE 1 + #define BOND_FOM_FOLLOW 2 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3516,11 +3516,26 @@ static int bond_slave_netdev_event(unsig + } + break; + case NETDEV_CHANGE: +- /* +- * TODO: is this what we get if somebody +- * sets up a hierarchical bond, then rmmod's +- * one of the slave bonding devices? +- */ ++ if (bond->params.mode == BOND_MODE_8023AD || bond_is_lb(bond)) { ++ struct slave *slave; ++ ++ slave = bond_get_slave_by_dev(bond, slave_dev); ++ if (slave) { ++ u16 old_speed = slave->speed; ++ u16 old_duplex = slave->duplex; ++ ++ bond_update_speed_duplex(slave); ++ ++ if (bond_is_lb(bond)) ++ break; ++ ++ if (old_speed != slave->speed) ++ bond_3ad_adapter_speed_changed(slave); ++ if (old_duplex != slave->duplex) ++ bond_3ad_adapter_duplex_changed(slave); ++ } ++ } ++ + break; + case NETDEV_DOWN: + /* + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009 +Message-Id: <20090429220924.768577493@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:12 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stephen Hemminger , + "David S. Miller" +Subject: [patch 13/58] bridge: bad error handling when adding invalid ether address +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=bridge-bad-error-handling-when-adding-invalid-ether-address.patch +Content-Length: 937 +Lines: 30 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Stephen Hemminger + +[ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ] + +This fixes an crash when empty bond device is added to a bridge. +If an interface with invalid ethernet address (all zero) is added +to a bridge, then bridge code detects it when setting up the forward +databas entry. But the error unwind is broken, the bridge port object +can get freed twice: once when ref count went to zeo, and once by kfree. +Since object is never really accessible, just free it. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_if.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -419,7 +419,6 @@ err2: + err1: + kobject_del(&p->kobj); + err0: +- kobject_put(&p->kobj); + dev_set_promiscuity(dev, -1); + put_back: + dev_put(dev); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220924.931811645@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Pavel Emelyanov , + "David S. Miller" +Subject: [patch 14/58] ipv6: dont use tw net when accounting for recycled tw +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch +Content-Length: 1149 +Lines: 38 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Pavel Emelyanov + +[ Upstream commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 ] + +We already have a valid net in that place, but this is not just a +cleanup - the tw pointer can be NULL there sometimes, thus causing +an oops in NET_NS=y case. + +The same place in ipv4 code already works correctly using existing +net, rather than tw's one. + +The bug exists since 2.6.27. + +Signed-off-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/inet6_hashtables.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -210,11 +210,11 @@ unique: + + if (twp != NULL) { + *twp = tw; +- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED); ++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED); + } else if (tw != NULL) { + /* Silly. Should hash-dance instead... */ + inet_twsk_deschedule(tw, death_row); +- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED); ++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED); + + inet_twsk_put(tw); + } + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220925.111124389@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jesper Nilsson , + "David S. Miller" +Subject: [patch 15/58] ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch +Content-Length: 1573 +Lines: 49 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jesper Nilsson + +[ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ] + +Commit 778d80be52699596bf70e0eb0761cf5e1e46088d +(ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface) +seems to have introduced a leak of sk_buff's for ipv6 traffic, +at least in some configurations where idev is NULL, or when ipv6 +is disabled via sysctl. + +The problem is that if the first condition of the if-statement +returns non-NULL, it returns an skb with only one reference, +and when the other conditions apply, execution jumps to the "out" +label, which does not call kfree_skb for it. + +To plug this leak, change to use the "drop" label instead. +(this relies on it being ok to call kfree_skb on NULL) +This also allows us to avoid calling rcu_read_unlock here, +and removes the only user of the "out" label. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_input.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -74,8 +74,7 @@ int ipv6_rcv(struct sk_buff *skb, struct + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL || + !idev || unlikely(idev->cnf.disable_ipv6)) { + IP6_INC_STATS_BH(idev, IPSTATS_MIB_INDISCARDS); +- rcu_read_unlock(); +- goto out; ++ goto drop; + } + + memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); +@@ -145,7 +144,6 @@ err: + drop: + rcu_read_unlock(); + kfree_skb(skb); +-out: + return 0; + } + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220925.292347131@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" , + Patrick McHardy +Subject: [patch 16/58] netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch +Content-Length: 1246 +Lines: 39 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Mark H. Weaver + +[ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ] + +This patch fixes an unaligned memory access in tcp_sack while reading +sequence numbers from TCP selective acknowledgement options. Prior to +applying this patch, upstream linux-2.6.27.20 was occasionally +generating messages like this on my sparc64 system: + + [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00 + +Acked-by: David S. Miller +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_proto_tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + +@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buf + for (i = 0; + i < (opsize - TCPOLEN_SACK_BASE); + i += TCPOLEN_SACK_PERBLOCK) { +- tmp = ntohl(*((__be32 *)(ptr+i)+1)); ++ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1); + + if (after(tmp, *sack)) + *sack = tmp; + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220925.448819883@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Al Viro , + "David S. Miller" +Subject: [patch 17/58] net: fix sctp breakage +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=net-fix-sctp-breakage.patch +Content-Length: 879 +Lines: 29 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Al Viro + +[ Upstream commit cb0dc77de0d23615a845e45844a2e22fc224d7fe ] + +broken by commit 5e739d1752aca4e8f3e794d431503bfca3162df4; AFAICS should +be -stable fodder as well... + +Signed-off-by: Al Viro +Aced-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/endpointola.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -111,7 +111,8 @@ static struct sctp_endpoint *sctp_endpoi + if (sctp_addip_enable) { + auth_chunks->chunks[0] = SCTP_CID_ASCONF; + auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK; +- auth_chunks->param_hdr.length += htons(2); ++ auth_chunks->param_hdr.length = ++ htons(sizeof(sctp_paramhdr_t) + 2); + } + } + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220925.606219157@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Etienne Basset , + Casey Schaufler , + Chris Wright +Subject: [patch 18/58] security/smack: fix oops when setting a size 0 SMACK64 xattr +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch +Content-Length: 1232 +Lines: 38 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Etienne Basset + +upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f + +this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg +attr -S -s SMACK64 -V '' somefile +This oops because smk_import_entry treats a 0 length as SMK_MAXLEN + +Signed-off-by: Etienne Basset +Reviewed-by: James Morris +Acked-by: Casey Schaufler +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smack_lsm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -604,6 +604,8 @@ static int smack_inode_setxattr(struct d + strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { + if (!capable(CAP_MAC_ADMIN)) + rc = -EPERM; ++ if (size == 0) ++ rc = -EINVAL; + } else + rc = cap_inode_setxattr(dentry, name, value, size, flags); + +@@ -1360,7 +1362,7 @@ static int smack_inode_setsecurity(struc + struct socket *sock; + int rc = 0; + +- if (value == NULL || size > SMK_LABELLEN) ++ if (value == NULL || size > SMK_LABELLEN || size == 0) + return -EACCES; + + sp = smk_import(value, size); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009 +Message-Id: <20090429220925.755690732@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michael K Johnson , + "H. Peter Anvin" , + Chris Wright +Subject: [patch 19/58] x86, setup: mark %esi as clobbered in E820 BIOS call +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch +Content-Length: 1512 +Lines: 42 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Michael K. Johnson + +upstream commit: 01522df346f846906eaf6ca57148641476209909 + +Jordan Hargrave diagnosed a BIOS clobbering %esi in the E820 call. +That particular BIOS has been fixed, but there is a possibility that +this is responsible for other occasional reports of early boot +failure, and it does not hurt to add %esi to the clobbers. + +-stable candidate patch. + +Cc: Justin Forbes +Signed-off-by: Michael K Johnson +Signed-off-by: H. Peter Anvin +Cc: stable@kernel.org +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/memory.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/boot/memory.c ++++ b/arch/x86/boot/memory.c +@@ -27,13 +27,14 @@ static int detect_memory_e820(void) + do { + size = sizeof(struct e820entry); + +- /* Important: %edx is clobbered by some BIOSes, +- so it must be either used for the error output ++ /* Important: %edx and %esi are clobbered by some BIOSes, ++ so they must be either used for the error output + or explicitly marked clobbered. */ + asm("int $0x15; setc %0" + : "=d" (err), "+b" (next), "=a" (id), "+c" (size), + "=m" (*desc) +- : "D" (desc), "d" (SMAP), "a" (0xe820)); ++ : "D" (desc), "d" (SMAP), "a" (0xe820) ++ : "esi"); + + /* BIOSes which terminate the chain with CF = 1 as opposed + to %ebx = 0 don't always report the SMAP signature on + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220925.948430238@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:19 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 20/58] mm: do_xip_mapping_read: fix length calculation +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0031-mm-do_xip_mapping_read-fix-length-calculation.patch +Content-Length: 922 +Lines: 31 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Martin Schwidefsky + +upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8 + +The calculation of the value nr in do_xip_mapping_read is incorrect. If +the copy required more than one iteration in the do while loop the copies +variable will be non-zero. The maximum length that may be passed to the +call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the +check only compares against (nr > len). + +This bug is the cause for the heap corruption Carsten has been chasing +for so long: + +--- + mm/filemap_xip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/filemap_xip.c ++++ b/mm/filemap_xip.c +@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space + } + } + nr = nr - offset; +- if (nr > len) +- nr = len; ++ if (nr > len - copied) ++ nr = len - copied; + + error = mapping->a_ops->get_xip_mem(mapping, index, 0, + &xip_mem, &xip_pfn); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220926.062021009@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:20 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Wu Fengguang , + Chris Wright +Subject: [patch 21/58] vfs: skip I_CLEAR state inodes +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0034-vfs-skip-I_CLEAR-state-inodes.patch +Content-Length: 3523 +Lines: 91 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Wu Fengguang + +upstream commit: b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd + +clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so +_outside_ of inode_lock. So any I_FREEING testing is incomplete without a +coupled testing of I_CLEAR. + +So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and +add_dquot_ref(). + +Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara +reminds fixing the other two cases. + +Masayoshi MIZUMA has a nice panic flow: + +===================================================================== + [process A] | [process B] + | | + | prune_icache() | drop_pagecache() + | spin_lock(&inode_lock) | drop_pagecache_sb() + | inode->i_state |= I_FREEING; | | + | spin_unlock(&inode_lock) | V + | | | spin_lock(&inode_lock) + | V | | + | dispose_list() | | + | list_del() | | + | clear_inode() | | + | inode->i_state = I_CLEAR | | + | | | V + | | | if (inode->i_state & (I_FREEING|I_WILL_FREE)) + | | | continue; <==== NOT MATCH + | | | + | | | (DANGER from here on! Accessing disposing inode!) + | | | + | | | __iget() + | | | list_move() <===== PANIC on poisoned list !! + V V | +(time) +===================================================================== + +Reported-by: Masayoshi MIZUMA +Reviewed-by: Jan Kara +Signed-off-by: Wu Fengguang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[chrisw: backport to 2.6.29] +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/dquot.c | 2 +- + fs/drop_caches.c | 2 +- + fs/fs-writeback.c | 3 ++- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/dquot.c ++++ b/fs/dquot.c +@@ -726,7 +726,7 @@ static void add_dquot_ref(struct super_b + continue; + if (!dqinit_needed(inode, type)) + continue; +- if (inode->i_state & (I_FREEING|I_WILL_FREE)) ++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE)) + continue; + + __iget(inode); +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct sup + + spin_lock(&inode_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { +- if (inode->i_state & (I_FREEING|I_WILL_FREE)) ++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE)) + continue; + if (inode->i_mapping->nrpages == 0) + continue; +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -538,7 +538,8 @@ void generic_sync_sb_inodes(struct super + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + struct address_space *mapping; + +- if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) ++ if (inode->i_state & ++ (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW)) + continue; + mapping = inode->i_mapping; + if (mapping->nrpages == 0) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220926.269495766@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:21 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" , + Chris Wright +Subject: [patch 22/58] af_rose/x25: Sanity check the maximum user frame size +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch +Content-Length: 1833 +Lines: 64 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Cox + +upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 + +CVE-2009-0795. + +Otherwise we can wrap the sizes and end up sending garbage. + +Closes #10423 + +Signed-off-by: Alan Cox +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 6 +++++- + net/rose/af_rose.c | 4 ++++ + net/x25/af_x25.c | 6 ++++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb + + SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); + +- /* Build a packet */ ++ /* Build a packet - the conventional user limit is 236 bytes. We can ++ do ludicrously large NetROM frames but must not overflow */ ++ if (len > 65536) ++ return -EMSGSIZE; ++ + SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); + size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1120,6 +1120,10 @@ static int rose_sendmsg(struct kiocb *io + + /* Build a packet */ + SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); ++ /* Sanity check the packet size */ ++ if (len > 65535) ++ return -EMSGSIZE; ++ + size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; + + if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc + sx25.sx25_addr = x25->dest_addr; + } + ++ /* Sanity check the packet size */ ++ if (len > 65535) { ++ rc = -EMSGSIZE; ++ goto out; ++ } ++ + SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); + + /* Build a packet */ + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220926.377289559@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jean Delvare , + "David S. Miller" , + Chris Wright +Subject: [patch 23/58] net/netrom: Fix socket locking +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0044-net-netrom-Fix-socket-locking.patch +Content-Length: 1098 +Lines: 33 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jean Delvare + +upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab + +Patch "af_rose/x25: Sanity check the maximum user frame size" +(commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got +locking wrong. If we bail out due to user frame size being too large, +we must unlock the socket beforehand. + +Signed-off-by: Jean Delvare +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1084,8 +1084,10 @@ static int nr_sendmsg(struct kiocb *iocb + + /* Build a packet - the conventional user limit is 236 bytes. We can + do ludicrously large NetROM frames but must not overflow */ +- if (len > 65536) +- return -EMSGSIZE; ++ if (len > 65536) { ++ err = -EMSGSIZE; ++ goto out; ++ } + + SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); + size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220926.523009901@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Patrick McHardy , + Chris Wright +Subject: [patch 24/58] netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch +Content-Length: 2546 +Lines: 66 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Patrick McHardy + +upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558 + +Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case +search for loops) introduced a regression in the loop detection algorithm, +causing sporadic incorrectly detected loops. + +When a chain has already been visited during the check, it is treated as +having a standard target containing a RETURN verdict directly at the +beginning in order to not check it again. The real target of the first +rule is then incorrectly treated as STANDARD target and checked not to +contain invalid verdicts. + +Fix by making sure the rule does actually contain a standard target. + +Based on patch by Francis Dupont +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/arp_tables.c | 4 +++- + net/ipv4/netfilter/ip_tables.c | 4 +++- + net/ipv6/netfilter/ip6_tables.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -372,7 +372,9 @@ static int mark_source_chains(struct xt_ + && unconditional(&e->arp)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ ARPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -502,7 +502,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ip)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -529,7 +529,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ipv6)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IP6T_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009 +Message-Id: <20090429220926.729595728@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Miklos Szeredi , + Mark Fasheh , + Jens Axboe , + Chris Wright +Subject: [patch 25/58] splice: fix deadlock in splicing to file +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0049-splice-fix-deadlock-in-splicing-to-file.patch +Content-Length: 3869 +Lines: 114 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Miklos Szeredi + +upstream commit: 7bfac9ecf0585962fe13584f5cf526d8c8e76f17 + +There's a possible deadlock in generic_file_splice_write(), +splice_from_pipe() and ocfs2_file_splice_write(): + + - task A calls generic_file_splice_write() + - this calls inode_double_lock(), which locks i_mutex on both + pipe->inode and target inode + - ordering depends on inode pointers, can happen that pipe->inode is + locked first + - __splice_from_pipe() needs more data, calls pipe_wait() + - this releases lock on pipe->inode, goes to interruptible sleep + - task B calls generic_file_splice_write(), similarly to the first + - this locks pipe->inode, then tries to lock inode, but that is + already held by task A + - task A is interrupted, it tries to lock pipe->inode, but fails, as + it is already held by task B + - ABBA deadlock + +Fix this by explicitly ordering locks: the outer lock must be on +target inode and the inner lock (which is later unlocked and relocked) +must be on pipe->inode. This is OK, pipe inodes and target inodes +form two nonoverlapping sets, generic_file_splice_write() and friends +are not called with a target which is a pipe. + +Signed-off-by: Miklos Szeredi +Acked-by: Mark Fasheh +Acked-by: Jens Axboe +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 8 ++++++-- + fs/splice.c | 25 ++++++++++++++++++++----- + 2 files changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2089,7 +2089,7 @@ static ssize_t ocfs2_file_splice_write(s + out->f_path.dentry->d_name.len, + out->f_path.dentry->d_name.name); + +- inode_double_lock(inode, pipe->inode); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); + + ret = ocfs2_rw_lock(inode, 1); + if (ret < 0) { +@@ -2104,12 +2104,16 @@ static ssize_t ocfs2_file_splice_write(s + goto out_unlock; + } + ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); + + out_unlock: + ocfs2_rw_unlock(inode, 1); + out: +- inode_double_unlock(inode, pipe->inode); ++ mutex_unlock(&inode->i_mutex); + + mlog_exit(ret); + return ret; +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -735,10 +735,19 @@ ssize_t splice_from_pipe(struct pipe_ino + * ->commit_write. Most of the time, these expect i_mutex to + * be held. Since this may result in an ABBA deadlock with + * pipe->inode, we have to order lock acquiry here. ++ * ++ * Outer lock must be inode->i_mutex, as pipe_wait() will ++ * release and reacquire pipe->inode->i_mutex, AND inode must ++ * never be a pipe. + */ +- inode_double_lock(inode, pipe->inode); ++ WARN_ON(S_ISFIFO(inode->i_mode)); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = __splice_from_pipe(pipe, &sd, actor); +- inode_double_unlock(inode, pipe->inode); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); ++ mutex_unlock(&inode->i_mutex); + + return ret; + } +@@ -829,11 +838,17 @@ generic_file_splice_write(struct pipe_in + }; + ssize_t ret; + +- inode_double_lock(inode, pipe->inode); ++ WARN_ON(S_ISFIFO(inode->i_mode)); ++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); + ret = file_remove_suid(out); +- if (likely(!ret)) ++ if (likely(!ret)) { ++ if (pipe->inode) ++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD); + ret = __splice_from_pipe(pipe, &sd, pipe_to_file); +- inode_double_unlock(inode, pipe->inode); ++ if (pipe->inode) ++ mutex_unlock(&pipe->inode->i_mutex); ++ } ++ mutex_unlock(&inode->i_mutex); + if (ret > 0) { + unsigned long nr_pages; + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220926.934898140@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Akinobu Mita , + Takashi Iwai , + Chris Wright +Subject: [patch 26/58] ALSA: hda - add missing comma in ad1884_slave_vols +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch +Content-Length: 737 +Lines: 24 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Akinobu Mita + +upstream commit: bca68467b59a24396554d8dd5979ee363c174854 + +Signed-off-by: Akinobu Mita +Signed-off-by: Takashi Iwai +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_analog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_analog.c ++++ b/sound/pci/hda/patch_analog.c +@@ -3220,7 +3220,7 @@ static const char *ad1884_slave_vols[] = + "Mic Playback Volume", + "CD Playback Volume", + "Internal Mic Playback Volume", +- "Docking Mic Playback Volume" ++ "Docking Mic Playback Volume", + "Beep Playback Volume", + "IEC958 Playback Volume", + NULL + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.114222967@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jean Delvare , + Mike Christie , + James Bottomley , + Chris Wright +Subject: [patch 27/58] SCSI: libiscsi: fix iscsi pool error path +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch +Content-Length: 1498 +Lines: 43 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jean Delvare + +upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b + +Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool +can be NULL and this should be tested before dereferencing it, or it +can't be NULL and it shouldn't be tested at all. As far as I can see, +the only case where q->pool is NULL is on early error in +iscsi_pool_init(). One possible way to fix the bug is thus to not +call iscsi_pool_free() in this case (nothing needs to be freed anyway) +and then we can get rid of the q->pool check. + +Signed-off-by: Jean Delvare +Signed-off-by: Mike Christie +Signed-off-by: James Bottomley +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1807,7 +1807,7 @@ iscsi_pool_init(struct iscsi_pool *q, in + num_arrays++; + q->pool = kzalloc(num_arrays * max * sizeof(void*), GFP_KERNEL); + if (q->pool == NULL) +- goto enomem; ++ return -ENOMEM; + + q->queue = kfifo_init((void*)q->pool, max * sizeof(void*), + GFP_KERNEL, NULL); +@@ -1842,8 +1842,7 @@ void iscsi_pool_free(struct iscsi_pool * + + for (i = 0; i < q->max; i++) + kfree(q->pool[i]); +- if (q->pool) +- kfree(q->pool); ++ kfree(q->pool); + kfree(q->queue); + } + EXPORT_SYMBOL_GPL(iscsi_pool_free); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.309155133@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mike Christie , + James Bottomley , + Chris Wright +Subject: [patch 28/58] SCSI: libiscsi: fix iscsi pool error path again +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch +Content-Length: 1499 +Lines: 43 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jean Delvare + +upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522 + +Le lundi 30 mars 2009, Chris Wright a écrit : +> q->queue could be ERR_PTR(-ENOMEM) which will break unwinding +> on error. Make iscsi_pool_free more defensive. +> + +Making the freeing of q->queue dependent on q->pool being set looks +really weird (although it is correct at the moment. But this seems +to be fixable in a much simpler way. + +With the benefit that only the error case is slowed down. In both +cases we have a problem if q->queue contains an error value but it's +not -ENOMEM. Apparently this can't happen today, but it doesn't feel +right to assume this will always be true. Maybe it's the right time +to fix this as well. + +Signed-off-by: Mike Christie +Signed-off-by: James Bottomley +[chrisw: this is a fixlet to f474a37b, also in -stable] +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1811,8 +1811,10 @@ iscsi_pool_init(struct iscsi_pool *q, in + + q->queue = kfifo_init((void*)q->pool, max * sizeof(void*), + GFP_KERNEL, NULL); +- if (q->queue == ERR_PTR(-ENOMEM)) ++ if (IS_ERR(q->queue)) { ++ q->queue = NULL; + goto enomem; ++ } + + for (i = 0; i < max; i++) { + q->pool[i] = kzalloc(item_size, GFP_KERNEL); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.416887820@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Nathan Lynch , + Nigel Cunningham , + containers@lists.linux-foundation.org, + linux-pm@lists.linux-foundation.org, + Matt Helsley , + Ingo Molnar , + Chris Wright +Subject: [patch 29/58] sched: do not count frozen tasks toward load +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0060-sched-do-not-count-frozen-tasks-toward-load.patch +Content-Length: 1987 +Lines: 48 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Nathan Lynch + +upstream commit: e3c8ca8336707062f3f7cb1cd7e6b3c753baccdd + +Freezing tasks via the cgroup freezer causes the load average to climb +because the freezer's current implementation puts frozen tasks in +uninterruptible sleep (D state). + +Some applications which perform job-scheduling functions consult the +load average when making decisions. If a cgroup is frozen, the load +average does not provide a useful measure of the system's utilization +to such applications. This is especially inconvenient if the job +scheduler employs the cgroup freezer as a mechanism for preempting low +priority jobs. Contrast this with using SIGSTOP for the same purpose: +the stopped tasks do not count toward system load. + +Change task_contributes_to_load() to return false if the task is +frozen. This results in /proc/loadavg behavior that better meets +users' expectations. + +Signed-off-by: Nathan Lynch +Acked-by: Andrew Morton +Acked-by: Nigel Cunningham +Tested-by: Nigel Cunningham +Cc: containers@lists.linux-foundation.org +Cc: linux-pm@lists.linux-foundation.org +Cc: Matt Helsley +LKML-Reference: <20090408194512.47a99b95@manatee.lan> +Signed-off-by: Ingo Molnar +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -201,7 +201,8 @@ extern unsigned long long time_sync_thre + #define task_is_stopped_or_traced(task) \ + ((task->state & (__TASK_STOPPED | __TASK_TRACED)) != 0) + #define task_contributes_to_load(task) \ +- ((task->state & TASK_UNINTERRUPTIBLE) != 0) ++ ((task->state & TASK_UNINTERRUPTIBLE) != 0 && \ ++ (task->flags & PF_FROZEN) == 0) + + #define __set_task_state(tsk, state_value) \ + do { (tsk)->state = (state_value); } while (0) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.546987392@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Serge E. Hallyn" , + "J. Bruce Fields" , + Chris Wright +Subject: [patch 30/58] add some long-missing capabilities to fs_mask +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0063-add-some-long-missing-capabilities-to-fs_mask.patch +Content-Length: 2904 +Lines: 76 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Serge E. Hallyn + +upstream commit: 0ad30b8fd5fe798aae80df6344b415d8309342cc + +When POSIX capabilities were introduced during the 2.1 Linux +cycle, the fs mask, which represents the capabilities which having +fsuid==0 is supposed to grant, did not include CAP_MKNOD and +CAP_LINUX_IMMUTABLE. However, before capabilities the privilege +to call these did in fact depend upon fsuid==0. + +This patch introduces those capabilities into the fsmask, +restoring the old behavior. + +See the thread starting at http://lkml.org/lkml/2009/3/11/157 for +reference. + +Note that if this fix is deemed valid, then earlier kernel versions (2.4 +and 2.2) ought to be fixed too. + +Changelog: + [Mar 23] Actually delete old CAP_FS_SET definition... + [Mar 20] Updated against J. Bruce Fields's patch + +Reported-by: Igor Zhbanov +Signed-off-by: Serge E. Hallyn +Cc: stable@kernel.org +Cc: J. Bruce Fields +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/capability.h | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -366,7 +366,21 @@ typedef struct kernel_cap_struct { + #define CAP_FOR_EACH_U32(__capi) \ + for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) + ++/* ++ * CAP_FS_MASK and CAP_NFSD_MASKS: ++ * ++ * The fs mask is all the privileges that fsuid==0 historically meant. ++ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. ++ * ++ * It has never meant setting security.* and trusted.* xattrs. ++ * ++ * We could also define fsmask as follows: ++ * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions ++ * 2. The security.* and trusted.* xattrs are fs-related MAC permissions ++ */ ++ + # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ ++ | CAP_TO_MASK(CAP_MKNOD) \ + | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ + | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ + | CAP_TO_MASK(CAP_FOWNER) \ +@@ -381,11 +395,12 @@ typedef struct kernel_cap_struct { + # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) + # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) + # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}) +-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } }) ++# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ ++ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ ++ CAP_FS_MASK_B1 } }) + # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ +- | CAP_TO_MASK(CAP_SYS_RESOURCE) \ +- | CAP_TO_MASK(CAP_MKNOD), \ +- CAP_FS_MASK_B1 } }) ++ | CAP_TO_MASK(CAP_SYS_RESOURCE), \ ++ CAP_FS_MASK_B1 } }) + + #endif /* _KERNEL_CAPABILITY_U32S != 2 */ + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.709990654@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Paul Mackerras , + Chris Wright +Subject: [patch 31/58] powerpc: Fix data-corrupting bug in __futex_atomic_op +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch +Content-Length: 2090 +Lines: 58 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Paul Mackerras + +upstream commit: 306a82881b14d950d59e0b59a55093a07d82aa9a + +Richard Henderson pointed out that the powerpc __futex_atomic_op has a +bug: it will write the wrong value if the stwcx. fails and it has to +retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten +by the result from the first time around the loop. This happens +because it uses the same register for 'oparg' (an input) as it uses +for the result. + +This fixes it by using separate registers for 'oparg' and 'ret'. + +Cc: stable@kernel.org +Signed-off-by: Paul Mackerras +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/futex.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/futex.h ++++ b/arch/powerpc/include/asm/futex.h +@@ -27,7 +27,7 @@ + PPC_LONG "1b,4b,2b,4b\n" \ + ".previous" \ + : "=&r" (oldval), "=&r" (ret) \ +- : "b" (uaddr), "i" (-EFAULT), "1" (oparg) \ ++ : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \ + : "cr0", "memory") + + static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr) +@@ -47,19 +47,19 @@ static inline int futex_atomic_op_inuser + + switch (op) { + case FUTEX_OP_SET: +- __futex_atomic_op("", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op("add %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_OR: +- __futex_atomic_op("or %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ANDN: +- __futex_atomic_op("andc %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_XOR: +- __futex_atomic_op("xor %1,%0,%1\n", ret, oldval, uaddr, oparg); ++ __futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg); + break; + default: + ret = -ENOSYS; + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009 +Message-Id: <20090429220927.836931426@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sergei Shtylyov , + Bartlomiej Zolnierkiewicz , + Chris Wright +Subject: [patch 32/58] hpt366: fix HPT370 DMA timeouts +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0069-hpt366-fix-HPT370-DMA-timeouts.patch +Content-Length: 1519 +Lines: 42 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Sergei Shtylyov + +upstream commit: c018f1ee5cf81e58b93d9e93a2ee39cad13dc1ac + +The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A] +chips -- DMA stopped to work completely, only causing endless timeouts... + +The culprit has been identified (at last!): it turned to be the code resetting +the DMA state machine before each transfer. Stop doing it now as this counter- +measure has clearly caused more harm than good. + +This should fix the kernel.org bug #7703. + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ide/pci/hpt366.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ide/pci/hpt366.c ++++ b/drivers/ide/pci/hpt366.c +@@ -114,6 +114,8 @@ + * the register setting lists into the table indexed by the clock selected + * - set the correct hwif->ultra_mask for each individual chip + * - add Ultra and MW DMA mode filtering for the HPT37[24] based SATA cards ++ * - stop resetting HPT370's state machine before each DMA transfer as that has ++ * caused more harm than good + * Sergei Shtylyov, or + */ + +@@ -134,7 +136,7 @@ + #define DRV_NAME "hpt366" + + /* various tuning parameters */ +-#define HPT_RESET_STATE_ENGINE ++#undef HPT_RESET_STATE_ENGINE + #undef HPT_DELAY_INTERRUPT + #define HPT_SERIALIZE_IO 0 + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220927.980460357@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:32 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sergei Shtylyov , + Jeff Garzik , + Chris Wright +Subject: [patch 33/58] pata_hpt37x: fix HPT370 DMA timeouts +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch +Content-Length: 2123 +Lines: 69 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Sergei Shtylyov + +upstream commit: 265b7215aed36941620b65ecfff516200fb190c1 + +The libata driver has copied the code from the IDE driver which caused a post +2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely, +only causing timeouts. Now remove hpt370_bmdma_start() for good... + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Jeff Garzik +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_hpt37x.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/ata/pata_hpt37x.c ++++ b/drivers/ata/pata_hpt37x.c +@@ -8,7 +8,7 @@ + * Copyright (C) 1999-2003 Andre Hedrick + * Portions Copyright (C) 2001 Sun Microsystems, Inc. + * Portions Copyright (C) 2003 Red Hat Inc +- * Portions Copyright (C) 2005-2007 MontaVista Software, Inc. ++ * Portions Copyright (C) 2005-2009 MontaVista Software, Inc. + * + * TODO + * Look into engine reset on timeout errors. Should not be required. +@@ -24,7 +24,7 @@ + #include + + #define DRV_NAME "pata_hpt37x" +-#define DRV_VERSION "0.6.11" ++#define DRV_VERSION "0.6.12" + + struct hpt_clock { + u8 xfer_speed; +@@ -445,23 +445,6 @@ static void hpt370_set_dmamode(struct at + } + + /** +- * hpt370_bmdma_start - DMA engine begin +- * @qc: ATA command +- * +- * The 370 and 370A want us to reset the DMA engine each time we +- * use it. The 372 and later are fine. +- */ +- +-static void hpt370_bmdma_start(struct ata_queued_cmd *qc) +-{ +- struct ata_port *ap = qc->ap; +- struct pci_dev *pdev = to_pci_dev(ap->host->dev); +- pci_write_config_byte(pdev, 0x50 + 4 * ap->port_no, 0x37); +- udelay(10); +- ata_bmdma_start(qc); +-} +- +-/** + * hpt370_bmdma_end - DMA engine stop + * @qc: ATA command + * +@@ -598,7 +581,6 @@ static struct scsi_host_template hpt37x_ + static struct ata_port_operations hpt370_port_ops = { + .inherits = &ata_bmdma_port_ops, + +- .bmdma_start = hpt370_bmdma_start, + .bmdma_stop = hpt370_bmdma_stop, + + .mode_filter = hpt370_filter, + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220928.132621395@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:33 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jonathan McDowell , + David Brownell , + Chris Wright +Subject: [patch 34/58] usb gadget: fix ethernet link reports to ethtool +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch +Content-Length: 1583 +Lines: 44 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jonathan McDowell + +upstream commit: 237e75bf1e558f7330f8deb167fa3116405bef2c + +The g_ether USB gadget driver currently decides whether or not there's a +link to report back for eth_get_link based on if the USB link speed is +set. The USB gadget speed is however often set even before the device is +enumerated. It seems more sensible to only report a "link" if we're +actually connected to a host that wants to talk to us. The patch below +does this for me - tested with the PXA27x UDC driver. + +Signed-off-by: Jonathan McDowell +Signed-off-by: David Brownell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/gadget/u_ether.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/usb/gadget/u_ether.c ++++ b/drivers/usb/gadget/u_ether.c +@@ -175,12 +175,6 @@ static void eth_get_drvinfo(struct net_d + strlcpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof p->bus_info); + } + +-static u32 eth_get_link(struct net_device *net) +-{ +- struct eth_dev *dev = netdev_priv(net); +- return dev->gadget->speed != USB_SPEED_UNKNOWN; +-} +- + /* REVISIT can also support: + * - WOL (by tracking suspends and issuing remote wakeup) + * - msglevel (implies updated messaging) +@@ -189,7 +183,7 @@ static u32 eth_get_link(struct net_devic + + static struct ethtool_ops ops = { + .get_drvinfo = eth_get_drvinfo, +- .get_link = eth_get_link ++ .get_link = ethtool_op_get_link, + }; + + static void defer_kevent(struct eth_dev *dev, int flag) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220928.280580763@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Peter Korsgaard , + Chris Wright +Subject: [patch 35/58] USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch +Content-Length: 1149 +Lines: 39 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Peter Korsgaard + +upstream commit: ae27d84351f1f3568118318a8c40ff3a154bd629 + +Signed-off-by: Peter Korsgaard +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio.h | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -662,6 +662,7 @@ static struct usb_device_id id_table_com + { USB_DEVICE(DE_VID, WHT_PID) }, + { USB_DEVICE(ADI_VID, ADI_GNICE_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio.h ++++ b/drivers/usb/serial/ftdi_sio.h +@@ -890,6 +890,13 @@ + #define ADI_GNICE_PID 0xF000 + + /* ++ * JETI SPECTROMETER SPECBOS 1201 ++ * http://www.jeti.com/products/sys/scb/scb1201.php ++ */ ++#define JETI_VID 0x0c6c ++#define JETI_SPC1201_PID 0x04b2 ++ ++/* + * BmRequestType: 1100 0000b + * bRequest: FTDI_E2_READ + * wValue: 0 + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220928.432626483@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:35 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oliver Neukum , + Chris Wright +Subject: [patch 36/58] USB: fix oops in cdc-wdm in case of malformed descriptors +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch +Content-Length: 681 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oliver Neukum + +upstream commit: e13c594f3a1fc2c78e7a20d1a07974f71e4b448f + +cdc-wdm needs to ignore extremely malformed descriptors. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -641,7 +641,7 @@ next_desc: + + iface = &intf->altsetting[0]; + ep = &iface->endpoint[0].desc; +- if (!usb_endpoint_is_int_in(ep)) { ++ if (!ep || !usb_endpoint_is_int_in(ep)) { + rv = -EINVAL; + goto err; + } + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220928.583064537@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:36 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Stern , + Chris Wright +Subject: [patch 37/58] USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch +Content-Length: 1277 +Lines: 36 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alan Stern + +upstream commit: e4813eec8d47c8299d968bd5349dc881fa481c26 + +This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs +entry for the Simple Tech/Datafab controller. This fixes Bugzilla +#12882. + +Signed-off-by: Alan Stern +Reported-and-tested-by: binbin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/storage/unusual_devs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1241,12 +1241,14 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0x + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_FIX_INQUIRY ), + +-/* Reported by Rauch Wolke */ ++/* Reported by Rauch Wolke ++ * and augmented by binbin (Bugzilla #12882) ++ */ + UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff, + "Simple Tech/Datafab", + "CF+SM Reader", + US_SC_DEVICE, US_PR_DEVICE, NULL, +- US_FL_IGNORE_RESIDUE ), ++ US_FL_IGNORE_RESIDUE | US_FL_MAX_SECTORS_64 ), + + /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant + * to the USB storage specification in two ways: + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009 +Message-Id: <20090429220928.710421504@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:37 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Shaohua Li , + Dave Airlie , + Chris Wright +Subject: [patch 38/58] agp: zero pages before sending to userspace +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0093-agp-zero-pages-before-sending-to-userspace.patch +Content-Length: 825 +Lines: 28 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +upstream commit: 59de2bebabc5027f93df999d59cc65df591c3e6e + +CVE-2009-1192 + +AGP pages might be mapped into userspace finally, so the pages should be +set to zero before userspace can use it. Otherwise there is potential +information leakage. + +Signed-off-by: Shaohua Li +Signed-off-by: Dave Airlie +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -1207,7 +1207,7 @@ void *agp_generic_alloc_page(struct agp_ + { + struct page * page; + +- page = alloc_page(GFP_KERNEL | GFP_DMA32); ++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO); + if (page == NULL) + return NULL; + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220928.849214831@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:38 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + William Irwin , + Akinobu Mita , + Chris Wright +Subject: [patch 39/58] hugetlbfs: return negative error code for bad mount option +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch +Content-Length: 1289 +Lines: 49 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Akinobu Mita + +upstream commit: c12ddba09394c60e1120e6997794fa6ed52da884 + +This fixes the following BUG: + + # mount -o size=MM -t hugetlbfs none /huge + hugetlbfs: Bad value 'MM' for mount option 'size=MM' + ------------[ cut here ]------------ + kernel BUG at fs/super.c:996! + +Due to + + BUG_ON(!mnt->mnt_sb); + +in vfs_kern_mount(). + +Also, remove unused #include + +Cc: William Irwin +Signed-off-by: Akinobu Mita +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -26,7 +26,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -838,7 +837,7 @@ hugetlbfs_parse_options(char *options, s + bad_val: + printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n", + args[0].from, p); +- return 1; ++ return -EINVAL; + } + + static int + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.014406153@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:39 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ananth N Mavinakayanahalli , + Masami Hiramatsu , + Jim Keniston , + Ingo Molnar +Subject: [patch 40/58] kprobes: Fix locking imbalance in kretprobes +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=kprobes-fix-locking-imbalance-in-kretprobes.patch +Content-Length: 2891 +Lines: 82 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Ananth N Mavinakayanahalli + +commit f02b8624fedca39886b0eef770dca70c2f0749b3 upstream. + +Fix locking imbalance in kretprobes: + +===================================== +[ BUG: bad unlock balance detected! ] +------------------------------------- +kthreadd/2 is trying to release lock (&rp->lock) at: +[] pre_handler_kretprobe+0xea/0xf4 +but there are no more locks to release! + +other info that might help us debug this: +1 lock held by kthreadd/2: + #0: (rcu_read_lock){..--}, at: [] __atomic_notifier_call_chain+0x0/0x5a + +stack backtrace: +Pid: 2, comm: kthreadd Not tainted 2.6.29-rc8 #1 +Call Trace: + [] ? printk+0xf/0x17 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] print_unlock_inbalance_bug+0xc3/0xce + [] ? clocksource_read+0x7/0xa + [] ? getnstimeofday+0x5f/0xf6 + [] ? register_lock_class+0x17/0x293 + [] ? mark_lock+0x1e/0x30b + [] ? tick_dev_program_event+0x4a/0xbc + [] ? __slab_alloc+0xa5/0x415 + [] ? pre_handler_kretprobe+0x28/0xf4 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] lock_release_non_nested+0xa4/0x1a5 + [] ? pre_handler_kretprobe+0xea/0xf4 + [] lock_release+0x141/0x166 + [] _spin_unlock_irqrestore+0x19/0x50 + [] pre_handler_kretprobe+0xea/0xf4 + [] kprobe_exceptions_notify+0x1c9/0x43e + [] notifier_call_chain+0x26/0x48 + [] __atomic_notifier_call_chain+0x37/0x5a + [] ? __atomic_notifier_call_chain+0x0/0x5a + [] atomic_notifier_call_chain+0xc/0xe + [] notify_die+0x2d/0x2f + [] do_int3+0x1f/0x71 + [] int3+0x2c/0x34 + [] ? do_fork+0x1/0x288 + [] ? kernel_thread+0x71/0x79 + [] ? kthread+0x0/0x60 + [] ? kthread+0x0/0x60 + [] ? kernel_thread_helper+0x0/0x10 + [] kthreadd+0xac/0x148 + [] ? kthreadd+0x0/0x148 + [] kernel_thread_helper+0x7/0x10 + +Signed-off-by: Ananth N Mavinakayanahalli +Tested-by: Bharata B Rao +Cc: Masami Hiramatsu +Cc: Jim Keniston +Cc: Linus Torvalds +Cc: Andrew Morton +LKML-Reference: <20090318113621.GB4129@in.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -890,10 +890,8 @@ static int __kprobes pre_handler_kretpro + ri->rp = rp; + ri->task = current; + +- if (rp->entry_handler && rp->entry_handler(ri, regs)) { +- spin_unlock_irqrestore(&rp->lock, flags); ++ if (rp->entry_handler && rp->entry_handler(ri, regs)) + return 0; +- } + + arch_prepare_kretprobe(ri, regs); + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.139768044@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:40 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jens Axboe +Subject: [patch 41/58] block: revert part of 18ce3751ccd488c78d3827e9f6bf54e6322676fb +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch +Content-Length: 1854 +Lines: 66 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Jens Axboe + +commit 78f707bfc723552e8309b7c38a8d0cc51012e813 upstream. + +The above commit added WRITE_SYNC and switched various places to using +that for committing writes that will be waited upon immediately after +submission. However, this causes a performance regression with AS and CFQ +for ext3 at least, since sync_dirty_buffer() will submit some writes with +WRITE_SYNC while ext3 has sumitted others dependent writes without the sync +flag set. This causes excessive anticipation/idling in the IO scheduler +because sync and async writes get interleaved, causing a big performance +regression for the below test case (which is meant to simulate sqlite +like behaviour). + +---- test case ---- + +int main(int argc, char **argv) +{ + + int fdes, i; + FILE *fp; + struct timeval start; + struct timeval end; + struct timeval res; + + gettimeofday(&start, NULL); + for (i=0; i +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3042,7 +3042,7 @@ int sync_dirty_buffer(struct buffer_head + if (test_clear_buffer_dirty(bh)) { + get_bh(bh); + bh->b_end_io = end_buffer_write_sync; +- ret = submit_bh(WRITE_SYNC, bh); ++ ret = submit_bh(WRITE, bh); + wait_on_buffer(bh); + if (buffer_eopnotsupp(bh)) { + clear_buffer_eopnotsupp(bh); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.295259303@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:41 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ivan Vecera , + Francois Romieu , + "David S. Miller" +Subject: [patch 42/58] r8169: Dont update statistics counters when interface is down +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=r8169-don-t-update-statistics-counters-when-interface-is-down.patch +Content-Length: 5482 +Lines: 177 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Francois Romieu + +Upstream as 355423d0849f4506bc71ab2738d38cb74429aaef (post 2.6.28). + +Some Realtek chips (RTL8169sb/8110sb in my case) are unable to retrieve +ethtool statistics when the interface is down. The process stays in +endless loop in rtl8169_get_ethtool_stats. This is because these chips +need to have receiver enabled (CmdRxEnb bit in ChipCmd register) that is +cleared when the interface is going down. It's better to update statistics +only when the interface is up and otherwise return copy of statistics +grabbed when the interface was up (in rtl8169_close). + +It is interesting that PCI-E NICs (like 8168b/8111b...) are not affected. + +Signed-off-by: Ivan Vecera +Acked-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 93 ++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 58 insertions(+), 35 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -375,6 +375,22 @@ enum features { + RTL_FEATURE_GMII = (1 << 2), + }; + ++struct rtl8169_counters { ++ __le64 tx_packets; ++ __le64 rx_packets; ++ __le64 tx_errors; ++ __le32 rx_errors; ++ __le16 rx_missed; ++ __le16 align_errors; ++ __le32 tx_one_collision; ++ __le32 tx_multi_collision; ++ __le64 rx_unicast; ++ __le64 rx_broadcast; ++ __le32 rx_multicast; ++ __le16 tx_aborted; ++ __le16 tx_underun; ++}; ++ + struct rtl8169_private { + void __iomem *mmio_addr; /* memory map physical address */ + struct pci_dev *pci_dev; /* Index of PCI device */ +@@ -416,6 +432,7 @@ struct rtl8169_private { + unsigned features; + + struct mii_if_info mii; ++ struct rtl8169_counters counters; + }; + + MODULE_AUTHOR("Realtek and the Linux r8169 crew "); +@@ -960,22 +977,6 @@ static const char rtl8169_gstrings[][ETH + "tx_underrun", + }; + +-struct rtl8169_counters { +- __le64 tx_packets; +- __le64 rx_packets; +- __le64 tx_errors; +- __le32 rx_errors; +- __le16 rx_missed; +- __le16 align_errors; +- __le32 tx_one_collision; +- __le32 tx_multi_collision; +- __le64 rx_unicast; +- __le64 rx_broadcast; +- __le32 rx_multicast; +- __le16 tx_aborted; +- __le16 tx_underun; +-}; +- + static int rtl8169_get_sset_count(struct net_device *dev, int sset) + { + switch (sset) { +@@ -986,16 +987,21 @@ static int rtl8169_get_sset_count(struct + } + } + +-static void rtl8169_get_ethtool_stats(struct net_device *dev, +- struct ethtool_stats *stats, u64 *data) ++static void rtl8169_update_counters(struct net_device *dev) + { + struct rtl8169_private *tp = netdev_priv(dev); + void __iomem *ioaddr = tp->mmio_addr; + struct rtl8169_counters *counters; + dma_addr_t paddr; + u32 cmd; ++ int wait = 1000; + +- ASSERT_RTNL(); ++ /* ++ * Some chips are unable to dump tally counters when the receiver ++ * is disabled. ++ */ ++ if ((RTL_R8(ChipCmd) & CmdRxEnb) == 0) ++ return; + + counters = pci_alloc_consistent(tp->pci_dev, sizeof(*counters), &paddr); + if (!counters) +@@ -1006,31 +1012,45 @@ static void rtl8169_get_ethtool_stats(st + RTL_W32(CounterAddrLow, cmd); + RTL_W32(CounterAddrLow, cmd | CounterDump); + +- while (RTL_R32(CounterAddrLow) & CounterDump) { +- if (msleep_interruptible(1)) ++ while (wait--) { ++ if ((RTL_R32(CounterAddrLow) & CounterDump) == 0) { ++ /* copy updated counters */ ++ memcpy(&tp->counters, counters, sizeof(*counters)); + break; ++ } ++ udelay(10); + } + + RTL_W32(CounterAddrLow, 0); + RTL_W32(CounterAddrHigh, 0); + +- data[0] = le64_to_cpu(counters->tx_packets); +- data[1] = le64_to_cpu(counters->rx_packets); +- data[2] = le64_to_cpu(counters->tx_errors); +- data[3] = le32_to_cpu(counters->rx_errors); +- data[4] = le16_to_cpu(counters->rx_missed); +- data[5] = le16_to_cpu(counters->align_errors); +- data[6] = le32_to_cpu(counters->tx_one_collision); +- data[7] = le32_to_cpu(counters->tx_multi_collision); +- data[8] = le64_to_cpu(counters->rx_unicast); +- data[9] = le64_to_cpu(counters->rx_broadcast); +- data[10] = le32_to_cpu(counters->rx_multicast); +- data[11] = le16_to_cpu(counters->tx_aborted); +- data[12] = le16_to_cpu(counters->tx_underun); +- + pci_free_consistent(tp->pci_dev, sizeof(*counters), counters, paddr); + } + ++static void rtl8169_get_ethtool_stats(struct net_device *dev, ++ struct ethtool_stats *stats, u64 *data) ++{ ++ struct rtl8169_private *tp = netdev_priv(dev); ++ ++ ASSERT_RTNL(); ++ ++ rtl8169_update_counters(dev); ++ ++ data[0] = le64_to_cpu(tp->counters.tx_packets); ++ data[1] = le64_to_cpu(tp->counters.rx_packets); ++ data[2] = le64_to_cpu(tp->counters.tx_errors); ++ data[3] = le32_to_cpu(tp->counters.rx_errors); ++ data[4] = le16_to_cpu(tp->counters.rx_missed); ++ data[5] = le16_to_cpu(tp->counters.align_errors); ++ data[6] = le32_to_cpu(tp->counters.tx_one_collision); ++ data[7] = le32_to_cpu(tp->counters.tx_multi_collision); ++ data[8] = le64_to_cpu(tp->counters.rx_unicast); ++ data[9] = le64_to_cpu(tp->counters.rx_broadcast); ++ data[10] = le32_to_cpu(tp->counters.rx_multicast); ++ data[11] = le16_to_cpu(tp->counters.tx_aborted); ++ data[12] = le16_to_cpu(tp->counters.tx_underun); ++} ++ + static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { +@@ -2979,6 +2999,9 @@ static int rtl8169_close(struct net_devi + struct rtl8169_private *tp = netdev_priv(dev); + struct pci_dev *pdev = tp->pci_dev; + ++ /* update counters before going down */ ++ rtl8169_update_counters(dev); ++ + rtl8169_down(dev); + + free_irq(dev->irq, dev); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.451364200@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:42 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Francois Romieu , + "David S. Miller" +Subject: [patch 43/58] r8169: use hardware auto-padding. +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=r8169-use-hardware-auto-padding.patch +Content-Length: 961 +Lines: 40 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Francois Romieu + +Upstream as 97d477a914b146e7e6722ded21afa79886ae8ccd (post 2.6.28). + +It shortens the code and fixes the current pci_unmap leak with +padded skb reported by Dave Jones. + +Signed-off-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -2549,13 +2549,6 @@ static int rtl8169_start_xmit(struct sk_ + opts1 |= FirstFrag; + } else { + len = skb->len; +- +- if (unlikely(len < ETH_ZLEN)) { +- if (skb_padto(skb, ETH_ZLEN)) +- goto err_update_stats; +- len = ETH_ZLEN; +- } +- + opts1 |= FirstFrag | LastFrag; + tp->tx_skb[entry].skb = skb; + } +@@ -2593,7 +2586,6 @@ out: + err_stop: + netif_stop_queue(dev); + ret = NETDEV_TX_BUSY; +-err_update_stats: + dev->stats.tx_dropped++; + goto out; + } + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.573174522@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:43 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Karsten Wiese , + Francois Romieu , + "David S. Miller" +Subject: [patch 44/58] r8169: reset IntrStatus after chip reset +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=r8169-reset-intrstatus-after-chip-reset.patch +Content-Length: 1652 +Lines: 50 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Francois Romieu + +Upstream as d78ad8cbfe73ad568de38814a75e9c92ad0a907c (post 2.6.29). + +Original comment (Karsten): +On a MSI MS-6702E mainboard, when in rtl8169_init_one() for the first time +after BIOS has run, IntrStatus reads 5 after chip has been reset. +IntrStatus should equal 0 there, so patch changes IntrStatus reset to happen +after chip reset instead of before. + +Remark (Francois): +Assuming that the loglevel of the driver is increased above NETIF_MSG_INTR, +the bug reveals itself with a typical "interrupt 0025 in poll" message +at startup. In retrospect, the message should had been read as an hint of +an unexpected hardware state several months ago :o( + +Fixes (at least part of) https://bugzilla.redhat.com/show_bug.cgi?id=460747 + +Signed-off-by: Karsten Wiese +Signed-off-by: Francois Romieu +Tested-by: Josep +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -1687,8 +1687,7 @@ rtl8169_init_one(struct pci_dev *pdev, c + goto err_out_free_res_4; + } + +- /* Unneeded ? Don't mess with Mrs. Murphy. */ +- rtl8169_irq_mask_and_ack(ioaddr); ++ RTL_W16(IntrMask, 0x0000); + + /* Soft reset the chip. */ + RTL_W8(ChipCmd, CmdReset); +@@ -1700,6 +1699,8 @@ rtl8169_init_one(struct pci_dev *pdev, c + msleep_interruptible(1); + } + ++ RTL_W16(IntrStatus, 0xffff); ++ + /* Identify chip attached to board */ + rtl8169_get_mac_version(tp, ioaddr); + + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.694765675@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:44 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Johannes Weiner , + Nick Piggin , + Hugh Dickins +Subject: [patch 45/58] mm: check for no mmaps in exit_mmap() +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=mm-check-for-no-mmaps-in-exit_mmap.patch +Content-Length: 1194 +Lines: 39 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Johannes Weiner + +commit dcd4a049b9751828c516c59709f3fdf50436df85 upstream. + +When dup_mmap() ooms we can end up with mm->mmap == NULL. The error +path does mmput() and unmap_vmas() gets a NULL vma which it +dereferences. + +In exit_mmap() there is nothing to do at all for this case, we can +cancel the callpath right there. + +[akpm@linux-foundation.org: add sorely-needed comment] +Signed-off-by: Johannes Weiner +Reported-by: Akinobu Mita +Cc: Nick Piggin +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Reported-by: Kir Kolyshkin +Tested-by: Kir Kolyshkin +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2068,6 +2068,9 @@ void exit_mmap(struct mm_struct *mm) + arch_exit_mmap(mm); + mmu_notifier_release(mm); + ++ if (!mm->mmap) /* Can happen if dup_mmap() received an OOM */ ++ return; ++ + lru_add_drain(); + flush_cache_mm(mm); + tlb = tlb_gather_mmu(mm, 1); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009 +Message-Id: <20090429220929.842695986@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:45 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + benh@kernel.crashing.org, + Josh Boyer +Subject: [patch 46/58] powerpc: Sanitize stack pointer in signal handling code +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=powerpc-sanitize-stack-pointer-in-signal-handling-code.patch +Content-Length: 3876 +Lines: 118 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Josh Boyer + +This has been backported to 2.6.27.x from commit efbda86098 in Linus' tree. + +On powerpc64 machines running 32-bit userspace, we can get garbage bits in the +stack pointer passed into the kernel. Most places handle this correctly, but +the signal handling code uses the passed value directly for allocating signal +stack frames. + +This fixes the issue by introducing a get_clean_sp function that returns a +sanitized stack pointer. For 32-bit tasks on a 64-bit kernel, the stack +pointer is masked correctly. In all other cases, the stack pointer is simply +returned. + +Additionally, we pass an 'is_32' parameter to get_sigframe now in order to +get the properly sanitized stack. The callers are know to be 32 or 64-bit +statically. + +Signed-off-by: Josh Boyer +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/processor.h | 19 +++++++++++++++++++ + arch/powerpc/kernel/signal.c | 4 ++-- + arch/powerpc/kernel/signal.h | 2 +- + arch/powerpc/kernel/signal_32.c | 4 ++-- + arch/powerpc/kernel/signal_64.c | 2 +- + 5 files changed, 25 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/processor.h ++++ b/arch/powerpc/include/asm/processor.h +@@ -309,6 +309,25 @@ static inline void prefetchw(const void + #define HAVE_ARCH_PICK_MMAP_LAYOUT + #endif + ++#ifdef CONFIG_PPC64 ++static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32) ++{ ++ unsigned long sp; ++ ++ if (is_32) ++ sp = regs->gpr[1] & 0x0ffffffffUL; ++ else ++ sp = regs->gpr[1]; ++ ++ return sp; ++} ++#else ++static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32) ++{ ++ return regs->gpr[1]; ++} ++#endif ++ + #endif /* __KERNEL__ */ + #endif /* __ASSEMBLY__ */ + #endif /* _ASM_POWERPC_PROCESSOR_H */ +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -836,7 +836,7 @@ int handle_rt_signal32(unsigned long sig + + /* Set up Signal Frame */ + /* Put a Real Time Context onto stack */ +- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf)); ++ rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1); + addr = rt_sf; + if (unlikely(rt_sf == NULL)) + goto badframe; +@@ -1170,7 +1170,7 @@ int handle_signal32(unsigned long sig, s + unsigned long newsp = 0; + + /* Set up Signal Frame */ +- frame = get_sigframe(ka, regs, sizeof(*frame)); ++ frame = get_sigframe(ka, regs, sizeof(*frame), 1); + if (unlikely(frame == NULL)) + goto badframe; + sc = (struct sigcontext __user *) &frame->sctx; +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -404,7 +404,7 @@ int handle_rt_signal64(int signr, struct + unsigned long newsp = 0; + long err = 0; + +- frame = get_sigframe(ka, regs, sizeof(*frame)); ++ frame = get_sigframe(ka, regs, sizeof(*frame), 0); + if (unlikely(frame == NULL)) + goto badframe; + +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -26,12 +26,12 @@ int show_unhandled_signals = 0; + * Allocate space for the signal frame + */ + void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, +- size_t frame_size) ++ size_t frame_size, int is_32) + { + unsigned long oldsp, newsp; + + /* Default to using normal stack */ +- oldsp = regs->gpr[1]; ++ oldsp = get_clean_sp(regs, is_32); + + /* Check for alt stack */ + if ((ka->sa.sa_flags & SA_ONSTACK) && +--- a/arch/powerpc/kernel/signal.h ++++ b/arch/powerpc/kernel/signal.h +@@ -13,7 +13,7 @@ + #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP))) + + extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, +- size_t frame_size); ++ size_t frame_size, int is_32); + extern void restore_sigmask(sigset_t *set); + + extern int handle_signal32(unsigned long sig, struct k_sigaction *ka, + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220929.995031553@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Luis R. Rodriguez" , + ath9k-devel@venema.h4ckr.net, + linux-wireless@vger.kernel.org +Subject: [patch 47/58] ath9k: implement IO serialization +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=ath9k-implement-io-serialization.patch +Content-Length: 4390 +Lines: 123 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Luis R. Rodriguez + +This is a port of: +commit SHA1 6158425be398936af1fd04451f78ffad01529cb0 +for 2.6.27 + +All 802.11n PCI devices (Cardbus, PCI, mini-PCI) require +serialization of IO when on non-uniprocessor systems. PCI +express devices not not require this. + +This should fix our only last standing open ath9k kernel.org +bugzilla bug report: + +http://bugzilla.kernel.org/show_bug.cgi?id=12110 + +Signed-off-by: Luis R. Rodriguez +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath9k/ath9k.h | 4 ++-- + drivers/net/wireless/ath9k/core.c | 1 + + drivers/net/wireless/ath9k/core.h | 33 +++++++++++++++++++++++++++++++++ + drivers/net/wireless/ath9k/hw.c | 19 +++++++++++++++++++ + 4 files changed, 55 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath9k/ath9k.h ++++ b/drivers/net/wireless/ath9k/ath9k.h +@@ -591,8 +591,8 @@ struct ath9k_country_entry { + u8 iso[3]; + }; + +-#define REG_WRITE(_ah, _reg, _val) iowrite32(_val, _ah->ah_sh + _reg) +-#define REG_READ(_ah, _reg) ioread32(_ah->ah_sh + _reg) ++#define REG_WRITE(_ah, _reg, _val) ath9k_iowrite32((_ah), (_reg), (_val)) ++#define REG_READ(_ah, _reg) ath9k_ioread32((_ah), (_reg)) + + #define SM(_v, _f) (((_v) << _f##_S) & _f) + #define MS(_v, _f) (((_v) & _f) >> _f##_S) +--- a/drivers/net/wireless/ath9k/core.c ++++ b/drivers/net/wireless/ath9k/core.c +@@ -1120,6 +1120,7 @@ int ath_init(u16 devid, struct ath_softc + sc->sc_cachelsz = csz << 2; /* convert to bytes */ + + spin_lock_init(&sc->sc_resetlock); ++ spin_lock_init(&sc->sc_serial_rw); + + ah = ath9k_hw_attach(devid, sc, sc->mem, &status); + if (ah == NULL) { +--- a/drivers/net/wireless/ath9k/core.h ++++ b/drivers/net/wireless/ath9k/core.h +@@ -1022,6 +1022,7 @@ struct ath_softc { + spinlock_t sc_rxbuflock; + spinlock_t sc_txbuflock; + spinlock_t sc_resetlock; ++ spinlock_t sc_serial_rw; + spinlock_t node_lock; + }; + +@@ -1069,4 +1070,36 @@ void ath_skb_unmap_single(struct ath_sof + void ath_mcast_merge(struct ath_softc *sc, u32 mfilt[2]); + enum ath9k_ht_macmode ath_cwm_macmode(struct ath_softc *sc); + ++/* ++ * Read and write, they both share the same lock. We do this to serialize ++ * reads and writes on Atheros 802.11n PCI devices only. This is required ++ * as the FIFO on these devices can only accept sanely 2 requests. After ++ * that the device goes bananas. Serializing the reads/writes prevents this ++ * from happening. ++ */ ++ ++static inline void ath9k_iowrite32(struct ath_hal *ah, u32 reg_offset, u32 val) ++{ ++ if (ah->ah_config.serialize_regmode == SER_REG_MODE_ON) { ++ unsigned long flags; ++ spin_lock_irqsave(&ah->ah_sc->sc_serial_rw, flags); ++ iowrite32(val, ah->ah_sc->mem + reg_offset); ++ spin_unlock_irqrestore(&ah->ah_sc->sc_serial_rw, flags); ++ } else ++ iowrite32(val, ah->ah_sc->mem + reg_offset); ++} ++ ++static inline unsigned int ath9k_ioread32(struct ath_hal *ah, u32 reg_offset) ++{ ++ u32 val; ++ if (ah->ah_config.serialize_regmode == SER_REG_MODE_ON) { ++ unsigned long flags; ++ spin_lock_irqsave(&ah->ah_sc->sc_serial_rw, flags); ++ val = ioread32(ah->ah_sc->mem + reg_offset); ++ spin_unlock_irqrestore(&ah->ah_sc->sc_serial_rw, flags); ++ } else ++ val = ioread32(ah->ah_sc->mem + reg_offset); ++ return val; ++} ++ + #endif /* CORE_H */ +--- a/drivers/net/wireless/ath9k/hw.c ++++ b/drivers/net/wireless/ath9k/hw.c +@@ -369,6 +369,25 @@ static void ath9k_hw_set_defaults(struct + } + + ah->ah_config.intr_mitigation = 0; ++ ++ /* ++ * We need this for PCI devices only (Cardbus, PCI, miniPCI) ++ * _and_ if on non-uniprocessor systems (Multiprocessor/HT). ++ * This means we use it for all AR5416 devices, and the few ++ * minor PCI AR9280 devices out there. ++ * ++ * Serialization is required because these devices do not handle ++ * well the case of two concurrent reads/writes due to the latency ++ * involved. During one read/write another read/write can be issued ++ * on another CPU while the previous read/write may still be working ++ * on our hardware, if we hit this case the hardware poops in a loop. ++ * We prevent this by serializing reads and writes. ++ * ++ * This issue is not present on PCI-Express devices or pre-AR5416 ++ * devices (legacy, 802.11abg). ++ */ ++ if (num_possible_cpus() > 1) ++ ah->ah_config.serialize_regmode = SER_REG_MODE_AUTO; + } + + static inline void ath9k_hw_override_ini(struct ath_hal *ah, + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.126527883@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "Luis R. Rodriguez" , + ath9k-devel@venema.h4ckr.net, + linux-wireless@vger.kernel.org +Subject: [patch 48/58] ath9k: AR9280 PCI devices must serialize IO as well +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch +Content-Length: 785 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Luis R. Rodriguez + +This is a port of: +commit SHA1 5ec905a8df3fa877566ba98298433fbfb3d688cc +for 2.6.27 + +Signed-off-by: Luis R. Rodriguez +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath9k/hw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath9k/hw.c ++++ b/drivers/net/wireless/ath9k/hw.c +@@ -3313,7 +3313,8 @@ static struct ath_hal *ath9k_hw_do_attac + } + + if (ah->ah_config.serialize_regmode == SER_REG_MODE_AUTO) { +- if (ah->ah_macVersion == AR_SREV_VERSION_5416_PCI) { ++ if (ah->ah_macVersion == AR_SREV_VERSION_5416_PCI || ++ (AR_SREV_9280(ah) && !ah->ah_isPciExpress)) { + ah->ah_config.serialize_regmode = + SER_REG_MODE_ON; + } else { + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.269909506@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michael Buesch , + "David S. Miller" +Subject: [patch 49/58] b44: Use kernel DMA addresses for the kernel DMA API +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch +Content-Length: 932 +Lines: 30 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Michael Buesch + +commit 37efa239901493694a48f1d6f59f8de17c2c4509 upstream. + +We must not use the device DMA addresses for the kernel DMA API, because +device DMA addresses have an additional offset added for the SSB translation. + +Use the original dma_addr_t for the sync operation. + +Cc: stable@kernel.org +Signed-off-by: Michael Buesch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/b44.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/b44.c ++++ b/drivers/net/b44.c +@@ -750,7 +750,7 @@ static void b44_recycle_rx(struct b44 *b + dest_idx * sizeof(dest_desc), + DMA_BIDIRECTIONAL); + +- ssb_dma_sync_single_for_device(bp->sdev, le32_to_cpu(src_desc->addr), ++ ssb_dma_sync_single_for_device(bp->sdev, dest_map->mapping, + RX_PKT_BUF_SZ, + DMA_FROM_DEVICE); + } + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.399148414@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Christian Hohnstaedt , + Herbert Xu +Subject: [patch 50/58] crypto: ixp4xx - Fix handling of chained sg buffers +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch +Content-Length: 12134 +Lines: 386 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Christian Hohnstaedt + +commit 0d44dc59b2b434b29aafeae581d06f81efac7c83 upstream. + + - keep dma functions away from chained scatterlists. + Use the existing scatterlist iteration inside the driver + to call dma_map_single() for each chunk and avoid dma_map_sg(). + +Signed-off-by: Christian Hohnstaedt +Tested-By: Karl Hiramoto +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ixp4xx_crypto.c | 184 ++++++++++++++--------------------------- + 1 file changed, 64 insertions(+), 120 deletions(-) + +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -101,6 +101,7 @@ struct buffer_desc { + u32 phys_addr; + u32 __reserved[4]; + struct buffer_desc *next; ++ enum dma_data_direction dir; + }; + + struct crypt_ctl { +@@ -132,14 +133,10 @@ struct crypt_ctl { + struct ablk_ctx { + struct buffer_desc *src; + struct buffer_desc *dst; +- unsigned src_nents; +- unsigned dst_nents; + }; + + struct aead_ctx { + struct buffer_desc *buffer; +- unsigned short assoc_nents; +- unsigned short src_nents; + struct scatterlist ivlist; + /* used when the hmac is not on one sg entry */ + u8 *hmac_virt; +@@ -312,7 +309,7 @@ static struct crypt_ctl *get_crypt_desc_ + } + } + +-static void free_buf_chain(struct buffer_desc *buf, u32 phys) ++static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys) + { + while (buf) { + struct buffer_desc *buf1; +@@ -320,6 +317,7 @@ static void free_buf_chain(struct buffer + + buf1 = buf->next; + phys1 = buf->phys_next; ++ dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir); + dma_pool_free(buffer_pool, buf, phys); + buf = buf1; + phys = phys1; +@@ -348,7 +346,6 @@ static void one_packet(dma_addr_t phys) + struct crypt_ctl *crypt; + struct ixp_ctx *ctx; + int failed; +- enum dma_data_direction src_direction = DMA_BIDIRECTIONAL; + + failed = phys & 0x1 ? -EBADMSG : 0; + phys &= ~0x3; +@@ -358,13 +355,8 @@ static void one_packet(dma_addr_t phys) + case CTL_FLAG_PERFORM_AEAD: { + struct aead_request *req = crypt->data.aead_req; + struct aead_ctx *req_ctx = aead_request_ctx(req); +- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents, +- DMA_TO_DEVICE); +- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL); +- dma_unmap_sg(dev, req->src, req_ctx->src_nents, +- DMA_BIDIRECTIONAL); + +- free_buf_chain(req_ctx->buffer, crypt->src_buf); ++ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf); + if (req_ctx->hmac_virt) { + finish_scattered_hmac(crypt); + } +@@ -374,16 +366,11 @@ static void one_packet(dma_addr_t phys) + case CTL_FLAG_PERFORM_ABLK: { + struct ablkcipher_request *req = crypt->data.ablk_req; + struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req); +- int nents; ++ + if (req_ctx->dst) { +- nents = req_ctx->dst_nents; +- dma_unmap_sg(dev, req->dst, nents, DMA_FROM_DEVICE); +- free_buf_chain(req_ctx->dst, crypt->dst_buf); +- src_direction = DMA_TO_DEVICE; +- } +- nents = req_ctx->src_nents; +- dma_unmap_sg(dev, req->src, nents, src_direction); +- free_buf_chain(req_ctx->src, crypt->src_buf); ++ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf); ++ } ++ free_buf_chain(dev, req_ctx->src, crypt->src_buf); + req->base.complete(&req->base, failed); + break; + } +@@ -748,56 +735,35 @@ static int setup_cipher(struct crypto_tf + return 0; + } + +-static int count_sg(struct scatterlist *sg, int nbytes) +-{ +- int i; +- for (i = 0; nbytes > 0; i++, sg = sg_next(sg)) +- nbytes -= sg->length; +- return i; +-} +- +-static struct buffer_desc *chainup_buffers(struct scatterlist *sg, +- unsigned nbytes, struct buffer_desc *buf, gfp_t flags) ++static struct buffer_desc *chainup_buffers(struct device *dev, ++ struct scatterlist *sg, unsigned nbytes, ++ struct buffer_desc *buf, gfp_t flags, ++ enum dma_data_direction dir) + { +- int nents = 0; +- +- while (nbytes > 0) { ++ for (;nbytes > 0; sg = scatterwalk_sg_next(sg)) { ++ unsigned len = min(nbytes, sg->length); + struct buffer_desc *next_buf; + u32 next_buf_phys; +- unsigned len = min(nbytes, sg_dma_len(sg)); ++ void *ptr; + +- nents++; + nbytes -= len; +- if (!buf->phys_addr) { +- buf->phys_addr = sg_dma_address(sg); +- buf->buf_len = len; +- buf->next = NULL; +- buf->phys_next = 0; +- goto next; +- } +- /* Two consecutive chunks on one page may be handled by the old +- * buffer descriptor, increased by the length of the new one +- */ +- if (sg_dma_address(sg) == buf->phys_addr + buf->buf_len) { +- buf->buf_len += len; +- goto next; +- } ++ ptr = page_address(sg_page(sg)) + sg->offset; + next_buf = dma_pool_alloc(buffer_pool, flags, &next_buf_phys); +- if (!next_buf) +- return NULL; ++ if (!next_buf) { ++ buf = NULL; ++ break; ++ } ++ sg_dma_address(sg) = dma_map_single(dev, ptr, len, dir); + buf->next = next_buf; + buf->phys_next = next_buf_phys; +- + buf = next_buf; +- buf->next = NULL; +- buf->phys_next = 0; ++ + buf->phys_addr = sg_dma_address(sg); + buf->buf_len = len; +-next: +- if (nbytes > 0) { +- sg = sg_next(sg); +- } ++ buf->dir = dir; + } ++ buf->next = NULL; ++ buf->phys_next = 0; + return buf; + } + +@@ -858,12 +824,12 @@ static int ablk_perform(struct ablkciphe + struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); + struct ixp_ctx *ctx = crypto_ablkcipher_ctx(tfm); + unsigned ivsize = crypto_ablkcipher_ivsize(tfm); +- int ret = -ENOMEM; + struct ix_sa_dir *dir; + struct crypt_ctl *crypt; +- unsigned int nbytes = req->nbytes, nents; ++ unsigned int nbytes = req->nbytes; + enum dma_data_direction src_direction = DMA_BIDIRECTIONAL; + struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req); ++ struct buffer_desc src_hook; + gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? + GFP_KERNEL : GFP_ATOMIC; + +@@ -876,7 +842,7 @@ static int ablk_perform(struct ablkciphe + + crypt = get_crypt_desc(); + if (!crypt) +- return ret; ++ return -ENOMEM; + + crypt->data.ablk_req = req; + crypt->crypto_ctx = dir->npe_ctx_phys; +@@ -889,53 +855,41 @@ static int ablk_perform(struct ablkciphe + BUG_ON(ivsize && !req->info); + memcpy(crypt->iv, req->info, ivsize); + if (req->src != req->dst) { ++ struct buffer_desc dst_hook; + crypt->mode |= NPE_OP_NOT_IN_PLACE; +- nents = count_sg(req->dst, nbytes); + /* This was never tested by Intel + * for more than one dst buffer, I think. */ +- BUG_ON(nents != 1); +- req_ctx->dst_nents = nents; +- dma_map_sg(dev, req->dst, nents, DMA_FROM_DEVICE); +- req_ctx->dst = dma_pool_alloc(buffer_pool, flags,&crypt->dst_buf); +- if (!req_ctx->dst) +- goto unmap_sg_dest; +- req_ctx->dst->phys_addr = 0; +- if (!chainup_buffers(req->dst, nbytes, req_ctx->dst, flags)) ++ BUG_ON(req->dst->length < nbytes); ++ req_ctx->dst = NULL; ++ if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook, ++ flags, DMA_FROM_DEVICE)) + goto free_buf_dest; + src_direction = DMA_TO_DEVICE; ++ req_ctx->dst = dst_hook.next; ++ crypt->dst_buf = dst_hook.phys_next; + } else { + req_ctx->dst = NULL; +- req_ctx->dst_nents = 0; + } +- nents = count_sg(req->src, nbytes); +- req_ctx->src_nents = nents; +- dma_map_sg(dev, req->src, nents, src_direction); +- +- req_ctx->src = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf); +- if (!req_ctx->src) +- goto unmap_sg_src; +- req_ctx->src->phys_addr = 0; +- if (!chainup_buffers(req->src, nbytes, req_ctx->src, flags)) ++ req_ctx->src = NULL; ++ if (!chainup_buffers(dev, req->src, nbytes, &src_hook, ++ flags, src_direction)) + goto free_buf_src; + ++ req_ctx->src = src_hook.next; ++ crypt->src_buf = src_hook.phys_next; + crypt->ctl_flags |= CTL_FLAG_PERFORM_ABLK; + qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt)); + BUG_ON(qmgr_stat_overflow(SEND_QID)); + return -EINPROGRESS; + + free_buf_src: +- free_buf_chain(req_ctx->src, crypt->src_buf); +-unmap_sg_src: +- dma_unmap_sg(dev, req->src, req_ctx->src_nents, src_direction); ++ free_buf_chain(dev, req_ctx->src, crypt->src_buf); + free_buf_dest: + if (req->src != req->dst) { +- free_buf_chain(req_ctx->dst, crypt->dst_buf); +-unmap_sg_dest: +- dma_unmap_sg(dev, req->src, req_ctx->dst_nents, +- DMA_FROM_DEVICE); ++ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf); + } + crypt->ctl_flags = CTL_FLAG_UNUSED; +- return ret; ++ return -ENOMEM; + } + + static int ablk_encrypt(struct ablkcipher_request *req) +@@ -983,7 +937,7 @@ static int hmac_inconsistent(struct scat + break; + + offset += sg->length; +- sg = sg_next(sg); ++ sg = scatterwalk_sg_next(sg); + } + return (start + nbytes > offset + sg->length); + } +@@ -995,11 +949,10 @@ static int aead_perform(struct aead_requ + struct ixp_ctx *ctx = crypto_aead_ctx(tfm); + unsigned ivsize = crypto_aead_ivsize(tfm); + unsigned authsize = crypto_aead_authsize(tfm); +- int ret = -ENOMEM; + struct ix_sa_dir *dir; + struct crypt_ctl *crypt; +- unsigned int cryptlen, nents; +- struct buffer_desc *buf; ++ unsigned int cryptlen; ++ struct buffer_desc *buf, src_hook; + struct aead_ctx *req_ctx = aead_request_ctx(req); + gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? + GFP_KERNEL : GFP_ATOMIC; +@@ -1020,7 +973,7 @@ static int aead_perform(struct aead_requ + } + crypt = get_crypt_desc(); + if (!crypt) +- return ret; ++ return -ENOMEM; + + crypt->data.aead_req = req; + crypt->crypto_ctx = dir->npe_ctx_phys; +@@ -1039,31 +992,27 @@ static int aead_perform(struct aead_requ + BUG(); /* -ENOTSUP because of my lazyness */ + } + +- req_ctx->buffer = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf); +- if (!req_ctx->buffer) +- goto out; +- req_ctx->buffer->phys_addr = 0; + /* ASSOC data */ +- nents = count_sg(req->assoc, req->assoclen); +- req_ctx->assoc_nents = nents; +- dma_map_sg(dev, req->assoc, nents, DMA_TO_DEVICE); +- buf = chainup_buffers(req->assoc, req->assoclen, req_ctx->buffer,flags); ++ buf = chainup_buffers(dev, req->assoc, req->assoclen, &src_hook, ++ flags, DMA_TO_DEVICE); ++ req_ctx->buffer = src_hook.next; ++ crypt->src_buf = src_hook.phys_next; + if (!buf) +- goto unmap_sg_assoc; ++ goto out; + /* IV */ + sg_init_table(&req_ctx->ivlist, 1); + sg_set_buf(&req_ctx->ivlist, iv, ivsize); +- dma_map_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL); +- buf = chainup_buffers(&req_ctx->ivlist, ivsize, buf, flags); ++ buf = chainup_buffers(dev, &req_ctx->ivlist, ivsize, buf, flags, ++ DMA_BIDIRECTIONAL); + if (!buf) +- goto unmap_sg_iv; ++ goto free_chain; + if (unlikely(hmac_inconsistent(req->src, cryptlen, authsize))) { + /* The 12 hmac bytes are scattered, + * we need to copy them into a safe buffer */ + req_ctx->hmac_virt = dma_pool_alloc(buffer_pool, flags, + &crypt->icv_rev_aes); + if (unlikely(!req_ctx->hmac_virt)) +- goto unmap_sg_iv; ++ goto free_chain; + if (!encrypt) { + scatterwalk_map_and_copy(req_ctx->hmac_virt, + req->src, cryptlen, authsize, 0); +@@ -1073,33 +1022,28 @@ static int aead_perform(struct aead_requ + req_ctx->hmac_virt = NULL; + } + /* Crypt */ +- nents = count_sg(req->src, cryptlen + authsize); +- req_ctx->src_nents = nents; +- dma_map_sg(dev, req->src, nents, DMA_BIDIRECTIONAL); +- buf = chainup_buffers(req->src, cryptlen + authsize, buf, flags); ++ buf = chainup_buffers(dev, req->src, cryptlen + authsize, buf, flags, ++ DMA_BIDIRECTIONAL); + if (!buf) +- goto unmap_sg_src; ++ goto free_hmac_virt; + if (!req_ctx->hmac_virt) { + crypt->icv_rev_aes = buf->phys_addr + buf->buf_len - authsize; + } ++ + crypt->ctl_flags |= CTL_FLAG_PERFORM_AEAD; + qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt)); + BUG_ON(qmgr_stat_overflow(SEND_QID)); + return -EINPROGRESS; +-unmap_sg_src: +- dma_unmap_sg(dev, req->src, req_ctx->src_nents, DMA_BIDIRECTIONAL); ++free_hmac_virt: + if (req_ctx->hmac_virt) { + dma_pool_free(buffer_pool, req_ctx->hmac_virt, + crypt->icv_rev_aes); + } +-unmap_sg_iv: +- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL); +-unmap_sg_assoc: +- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents, DMA_TO_DEVICE); +- free_buf_chain(req_ctx->buffer, crypt->src_buf); ++free_chain: ++ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf); + out: + crypt->ctl_flags = CTL_FLAG_UNUSED; +- return ret; ++ return -ENOMEM; + } + + static int aead_setup(struct crypto_aead *tfm, unsigned int authsize) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.548659812@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Serge Hallyn , + Roland McGrath +Subject: [patch 51/58] exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337) +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=exit_notify-kill-the-wrong-capable-check.patch +Content-Length: 1090 +Lines: 34 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Oleg Nesterov + +CVE-2009-1337 + +commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream. + +The CAP_KILL check in exit_notify() looks just wrong, kill it. + +Whatever logic we have to reset ->exit_signal, the malicious user +can bypass it if it execs the setuid application before exiting. + +Signed-off-by: Oleg Nesterov +Acked-by: Serge Hallyn +Acked-by: Roland McGrath +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -938,8 +938,7 @@ static void exit_notify(struct task_stru + */ + if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) && + (tsk->parent_exec_id != tsk->real_parent->self_exec_id || +- tsk->self_exec_id != tsk->parent_exec_id) && +- !capable(CAP_KILL)) ++ tsk->self_exec_id != tsk->parent_exec_id)) + tsk->exit_signal = SIGCHLD; + + signal = tracehook_notify_death(tsk, &cookie, group_dead); + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.695005091@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Miklos Szeredi +Subject: [patch 52/58] fix ptrace slowness +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=fix-ptrace-slowness.patch +Content-Length: 1729 +Lines: 59 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Miklos Szeredi + +commit 53da1d9456fe7f87a920a78fdbdcf1225d197cb7 upstream. + +This patch fixes bug #12208: + + Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12208 + Subject : uml is very slow on 2.6.28 host + +This turned out to be not a scheduler regression, but an already +existing problem in ptrace being triggered by subtle scheduler +changes. + +The problem is this: + + - task A is ptracing task B + - task B stops on a trace event + - task A is woken up and preempts task B + - task A calls ptrace on task B, which does ptrace_check_attach() + - this calls wait_task_inactive(), which sees that task B is still on the runq + - task A goes to sleep for a jiffy + - ... + +Since UML does lots of the above sequences, those jiffies quickly add +up to make it slow as hell. + +This patch solves this by not rescheduling in read_unlock() after +ptrace_stop() has woken up the tracer. + +Thanks to Oleg Nesterov and Ingo Molnar for the feedback. + +Signed-off-by: Miklos Szeredi +CC: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1549,7 +1549,15 @@ static void ptrace_stop(int exit_code, i + read_lock(&tasklist_lock); + if (may_ptrace_stop()) { + do_notify_parent_cldstop(current, CLD_TRAPPED); ++ /* ++ * Don't want to allow preemption here, because ++ * sys_ptrace() needs this task to be inactive. ++ * ++ * XXX: implement read_unlock_no_resched(). ++ */ ++ preempt_disable(); + read_unlock(&tasklist_lock); ++ preempt_enable_no_resched(); + schedule(); + } else { + /* + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009 +Message-Id: <20090429220930.850358132@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Chris Wright +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Hugh Dickins +Subject: [patch 53/58] fs core fixes +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=fs-core-fixes.patch +Content-Length: 5107 +Lines: 203 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Hugh Dickins + +Please add the following 4 commits to 2.6.27-stable and 2.6.28-stable. +However, there has been a lot of change here between 2.6.28 and 2.6.29: +in particular, fs/exec.c's unsafe_exec() grew into the more complicated +check_unsafe_exec(). So applying the original patches gives too many +rejects: at the bottom is the diffstat and the combined patch required. + +1 +Commit: 53e9309e01277ec99c38e84e0ca16921287cf470 +Author: Hugh Dickins +Date: Sat, 28 Mar 2009 23:16:03 +0000 (+0000) +Subject: [patch 53/58] compat_do_execve should unshare_files + +2 +Commit: e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 +Author: Hugh Dickins +Date: Sat, 28 Mar 2009 23:20:19 +0000 (+0000) +Subject: [patch 53/58] fix setuid sometimes doesn't + +3 +Commit: 7c2c7d993044cddc5010f6f429b100c63bc7dffb +Author: Hugh Dickins +Date: Sat, 28 Mar 2009 23:21:27 +0000 (+0000) +Subject: [patch 53/58] fix setuid sometimes wouldn't + +4 +Commit: f1191b50ec11c8e2ca766d6d99eb5bb9d2c084a3 +Author: Al Viro +Date: Mon, 30 Mar 2009 11:35:18 +0000 (-0400) +Subject: [patch 53/58] check_unsafe_exec() doesn't care about signal handlers sharing + +Signed-off-by: Hugh Dickins +Signed-off-by: Greg Kroah-Hartman + +--- + fs/compat.c | 12 +++++++++++- + fs/exec.c | 4 +--- + fs/proc/base.c | 50 ++++++++++++++++---------------------------------- + 3 files changed, 28 insertions(+), 38 deletions(-) + +--- a/fs/compat.c ++++ b/fs/compat.c +@@ -1353,12 +1353,17 @@ int compat_do_execve(char * filename, + { + struct linux_binprm *bprm; + struct file *file; ++ struct files_struct *displaced; + int retval; + ++ retval = unshare_files(&displaced); ++ if (retval) ++ goto out_ret; ++ + retval = -ENOMEM; + bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); + if (!bprm) +- goto out_ret; ++ goto out_files; + + file = open_exec(filename); + retval = PTR_ERR(file); +@@ -1410,6 +1415,8 @@ int compat_do_execve(char * filename, + security_bprm_free(bprm); + acct_update_integrals(current); + free_bprm(bprm); ++ if (displaced) ++ put_files_struct(displaced); + return retval; + } + +@@ -1430,6 +1437,9 @@ out_file: + out_kfree: + free_bprm(bprm); + ++out_files: ++ if (displaced) ++ reset_files_struct(displaced); + out_ret: + return retval; + } +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1089,9 +1089,7 @@ static int unsafe_exec(struct task_struc + { + int unsafe = tracehook_unsafe_exec(p); + +- if (atomic_read(&p->fs->count) > 1 || +- atomic_read(&p->files->count) > 1 || +- atomic_read(&p->sighand->count) > 1) ++ if (atomic_read(&p->fs->count) > 1) + unsafe |= LSM_UNSAFE_SHARE; + + return unsafe; +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -151,15 +151,22 @@ static unsigned int pid_entry_count_dirs + int maps_protect; + EXPORT_SYMBOL(maps_protect); + +-static struct fs_struct *get_fs_struct(struct task_struct *task) ++static int get_fs_path(struct task_struct *task, struct path *path, bool root) + { + struct fs_struct *fs; ++ int result = -ENOENT; ++ + task_lock(task); + fs = task->fs; +- if(fs) +- atomic_inc(&fs->count); ++ if (fs) { ++ read_lock(&fs->lock); ++ *path = root ? fs->root : fs->pwd; ++ path_get(path); ++ read_unlock(&fs->lock); ++ result = 0; ++ } + task_unlock(task); +- return fs; ++ return result; + } + + static int get_nr_threads(struct task_struct *tsk) +@@ -178,42 +185,24 @@ static int get_nr_threads(struct task_st + static int proc_cwd_link(struct inode *inode, struct path *path) + { + struct task_struct *task = get_proc_task(inode); +- struct fs_struct *fs = NULL; + int result = -ENOENT; + + if (task) { +- fs = get_fs_struct(task); ++ result = get_fs_path(task, path, 0); + put_task_struct(task); + } +- if (fs) { +- read_lock(&fs->lock); +- *path = fs->pwd; +- path_get(&fs->pwd); +- read_unlock(&fs->lock); +- result = 0; +- put_fs_struct(fs); +- } + return result; + } + + static int proc_root_link(struct inode *inode, struct path *path) + { + struct task_struct *task = get_proc_task(inode); +- struct fs_struct *fs = NULL; + int result = -ENOENT; + + if (task) { +- fs = get_fs_struct(task); ++ result = get_fs_path(task, path, 1); + put_task_struct(task); + } +- if (fs) { +- read_lock(&fs->lock); +- *path = fs->root; +- path_get(&fs->root); +- read_unlock(&fs->lock); +- result = 0; +- put_fs_struct(fs); +- } + return result; + } + +@@ -575,7 +564,6 @@ static int mounts_open_common(struct ino + struct task_struct *task = get_proc_task(inode); + struct nsproxy *nsp; + struct mnt_namespace *ns = NULL; +- struct fs_struct *fs = NULL; + struct path root; + struct proc_mounts *p; + int ret = -EINVAL; +@@ -589,22 +577,16 @@ static int mounts_open_common(struct ino + get_mnt_ns(ns); + } + rcu_read_unlock(); +- if (ns) +- fs = get_fs_struct(task); ++ if (ns && get_fs_path(task, &root, 1) == 0) ++ ret = 0; + put_task_struct(task); + } + + if (!ns) + goto err; +- if (!fs) ++ if (ret) + goto err_put_ns; + +- read_lock(&fs->lock); +- root = fs->root; +- path_get(&root); +- read_unlock(&fs->lock); +- put_fs_struct(fs); +- + ret = -ENOMEM; + p = kmalloc(sizeof(struct proc_mounts), GFP_KERNEL); + if (!p) + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009 +Message-Id: <20090429220930.974826191@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Yu Zhao , + Jesse Barnes +Subject: [patch 54/58] PCI: fix incorrect mask of PM No_Soft_Reset bit +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch +Content-Length: 1005 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Yu Zhao + +commit 998dd7c719f62dcfa91d7bf7f4eb9c160e03d817 upstream. + +Reviewed-by: Matthew Wilcox +Signed-off-by: Yu Zhao +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/pci_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/pci_regs.h ++++ b/include/linux/pci_regs.h +@@ -234,7 +234,7 @@ + #define PCI_PM_CAP_PME_SHIFT 11 /* Start of the PME Mask in PMC */ + #define PCI_PM_CTRL 4 /* PM control and status register */ + #define PCI_PM_CTRL_STATE_MASK 0x0003 /* Current power state (D0 to D3) */ +-#define PCI_PM_CTRL_NO_SOFT_RESET 0x0004 /* No reset for D3hot->D0 */ ++#define PCI_PM_CTRL_NO_SOFT_RESET 0x0008 /* No reset for D3hot->D0 */ + #define PCI_PM_CTRL_PME_ENABLE 0x0100 /* PME pin enable */ + #define PCI_PM_CTRL_DATA_SEL_MASK 0x1e00 /* Data select (??) */ + #define PCI_PM_CTRL_DATA_SCALE_MASK 0x6000 /* Data scale (??) */ + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009 +Message-Id: <20090429220931.129827045@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Henrique de Moraes Holschuh , + Len Brown +Subject: [patch 55/58] thinkpad-acpi: fix LED blinking through timer trigger +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch +Content-Length: 3824 +Lines: 128 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Henrique de Moraes Holschuh + +commit 75bd3bf2ade9d548be0d2bde60b5ee0fdce0b127 upstream. + +The set_blink hook code in the LED subdriver would never manage to get +a LED to blink, and instead it would just turn it on. The consequence +of this is that the "timer" trigger would not cause the LED to blink +if given default parameters. + +This problem exists since 2.6.26-rc1. + +To fix it, switch the deferred LED work handling to use the +thinkpad-acpi-specific LED status (off/on/blink) directly. + +This also makes the code easier to read, and to extend later. + +Signed-off-by: Henrique de Moraes Holschuh +Cc: stable@kernel.org +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/thinkpad_acpi.c | 41 +++++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +--- a/drivers/misc/thinkpad_acpi.c ++++ b/drivers/misc/thinkpad_acpi.c +@@ -282,11 +282,17 @@ static u32 dbg_level; + + static struct workqueue_struct *tpacpi_wq; + ++enum led_status_t { ++ TPACPI_LED_OFF = 0, ++ TPACPI_LED_ON, ++ TPACPI_LED_BLINK, ++}; ++ + /* Special LED class that can defer work */ + struct tpacpi_led_classdev { + struct led_classdev led_classdev; + struct work_struct work; +- enum led_brightness new_brightness; ++ enum led_status_t new_state; + unsigned int led; + }; + +@@ -3478,7 +3484,7 @@ static void light_set_status_worker(stru + container_of(work, struct tpacpi_led_classdev, work); + + if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING)) +- light_set_status((data->new_brightness != LED_OFF)); ++ light_set_status((data->new_state != TPACPI_LED_OFF)); + } + + static void light_sysfs_set(struct led_classdev *led_cdev, +@@ -3488,7 +3494,8 @@ static void light_sysfs_set(struct led_c + container_of(led_cdev, + struct tpacpi_led_classdev, + led_classdev); +- data->new_brightness = brightness; ++ data->new_state = (brightness != LED_OFF) ? ++ TPACPI_LED_ON : TPACPI_LED_OFF; + queue_work(tpacpi_wq, &data->work); + } + +@@ -3995,12 +4002,6 @@ enum { /* For TPACPI_LED_OLD */ + TPACPI_LED_EC_HLMS = 0x0e, /* EC reg to select led to command */ + }; + +-enum led_status_t { +- TPACPI_LED_OFF = 0, +- TPACPI_LED_ON, +- TPACPI_LED_BLINK, +-}; +- + static enum led_access_mode led_supported; + + TPACPI_HANDLE(led, ec, "SLED", /* 570 */ +@@ -4094,23 +4095,13 @@ static int led_set_status(const unsigned + return rc; + } + +-static void led_sysfs_set_status(unsigned int led, +- enum led_brightness brightness) +-{ +- led_set_status(led, +- (brightness == LED_OFF) ? +- TPACPI_LED_OFF : +- (tpacpi_led_state_cache[led] == TPACPI_LED_BLINK) ? +- TPACPI_LED_BLINK : TPACPI_LED_ON); +-} +- + static void led_set_status_worker(struct work_struct *work) + { + struct tpacpi_led_classdev *data = + container_of(work, struct tpacpi_led_classdev, work); + + if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING)) +- led_sysfs_set_status(data->led, data->new_brightness); ++ led_set_status(data->led, data->new_state); + } + + static void led_sysfs_set(struct led_classdev *led_cdev, +@@ -4119,7 +4110,13 @@ static void led_sysfs_set(struct led_cla + struct tpacpi_led_classdev *data = container_of(led_cdev, + struct tpacpi_led_classdev, led_classdev); + +- data->new_brightness = brightness; ++ if (brightness == LED_OFF) ++ data->new_state = TPACPI_LED_OFF; ++ else if (tpacpi_led_state_cache[data->led] != TPACPI_LED_BLINK) ++ data->new_state = TPACPI_LED_ON; ++ else ++ data->new_state = TPACPI_LED_BLINK; ++ + queue_work(tpacpi_wq, &data->work); + } + +@@ -4137,7 +4134,7 @@ static int led_sysfs_blink_set(struct le + } else if ((*delay_on != 500) || (*delay_off != 500)) + return -EINVAL; + +- data->new_brightness = TPACPI_LED_BLINK; ++ data->new_state = TPACPI_LED_BLINK; + queue_work(tpacpi_wq, &data->work); + + return 0; + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009 +Message-Id: <20090429220931.285231983@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alexey Starikovskiy , + Len Brown +Subject: [patch 56/58] ACPI: EC: Add some basic check for ECDT data +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=acpi-ec-add-some-basic-check-for-ecdt-data.patch +Content-Length: 2663 +Lines: 80 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Alexey Starikovskiy + +commit c5279dee26c0e8d7c4200993bfc4b540d2469598 upstream. + +One more ASUS comes with empty ECDT, add a guard for it... + +http://bugzilla.kernel.org/show_bug.cgi?id=11880 + +Signed-off-by: Alexey Starikovskiy +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 43 ++++++++++++++++++++++--------------------- + 1 file changed, 22 insertions(+), 21 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -968,7 +968,6 @@ static const struct acpi_device_id ec_de + + int __init acpi_ec_ecdt_probe(void) + { +- int ret; + acpi_status status; + struct acpi_table_ecdt *ecdt_ptr; + +@@ -996,30 +995,32 @@ int __init acpi_ec_ecdt_probe(void) + boot_ec->gpe = ecdt_ptr->gpe; + boot_ec->handle = ACPI_ROOT_OBJECT; + acpi_get_handle(ACPI_ROOT_OBJECT, ecdt_ptr->id, &boot_ec->handle); +- } else { +- /* This workaround is needed only on some broken machines, +- * which require early EC, but fail to provide ECDT */ +- acpi_handle x; +- printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n"); +- status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device, +- boot_ec, NULL); +- /* Check that acpi_get_devices actually find something */ +- if (ACPI_FAILURE(status) || !boot_ec->handle) +- goto error; +- /* We really need to limit this workaround, the only ASUS, +- * which needs it, has fake EC._INI method, so use it as flag. +- * Keep boot_ec struct as it will be needed soon. +- */ +- if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x))) +- return -ENODEV; ++ /* Add some basic check against completely broken table */ ++ if (boot_ec->data_addr != boot_ec->command_addr) ++ goto install; ++ /* fall through */ + } +- +- ret = ec_install_handlers(boot_ec); +- if (!ret) { ++ /* This workaround is needed only on some broken machines, ++ * which require early EC, but fail to provide ECDT */ ++ acpi_handle x; ++ printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n"); ++ status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device, ++ boot_ec, NULL); ++ /* Check that acpi_get_devices actually find something */ ++ if (ACPI_FAILURE(status) || !boot_ec->handle) ++ goto error; ++ /* We really need to limit this workaround, the only ASUS, ++ * which needs it, has fake EC._INI method, so use it as flag. ++ * Keep boot_ec struct as it will be needed soon. ++ */ ++ if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x))) ++ return -ENODEV; ++install: ++ if (!ec_install_handlers(boot_ec)) { + first_ec = boot_ec; + return 0; + } +- error: ++error: + kfree(boot_ec); + boot_ec = NULL; + return -ENODEV; + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009 +Message-Id: <20090429220931.429528114@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Hannes Eder , + Alexey Starikovskiy , + Len Brown +Subject: [patch 57/58] ACPI: EC: fix compilation warning +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=acpi-ec-fix-compilation-warning.patch +Content-Length: 1610 +Lines: 47 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Hannes Eder + +commit 3e54048691bce3f323fd5460695273be379803b9 upstream. + +Fix the warning introduced in commit c5279dee26c0e8d7c4200993bfc4b540d2469598, +and give the dummy variable a more verbose name. + + drivers/acpi/ec.c: In function 'acpi_ec_ecdt_probe': + drivers/acpi/ec.c:1015: warning: ISO C90 forbids mixed declarations and code + +Signed-off-by: Hannes Eder +Acked-by: Alexey Starikovskiy +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -970,6 +970,7 @@ int __init acpi_ec_ecdt_probe(void) + { + acpi_status status; + struct acpi_table_ecdt *ecdt_ptr; ++ acpi_handle dummy; + + boot_ec = make_acpi_ec(); + if (!boot_ec) +@@ -1002,7 +1003,6 @@ int __init acpi_ec_ecdt_probe(void) + } + /* This workaround is needed only on some broken machines, + * which require early EC, but fail to provide ECDT */ +- acpi_handle x; + printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n"); + status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device, + boot_ec, NULL); +@@ -1013,7 +1013,7 @@ int __init acpi_ec_ecdt_probe(void) + * which needs it, has fake EC._INI method, so use it as flag. + * Keep boot_ec struct as it will be needed soon. + */ +- if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x))) ++ if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &dummy))) + return -ENODEV; + install: + if (!ec_install_handlers(boot_ec)) { + + +From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009 +Message-Id: <20090429220931.578718104@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Wed, 29 Apr 2009 15:07:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + paul.moore@hp.com +Cc: Justin Forbes , + Zwane Mwaikambo , + Theodore Ts'o , + Randy Dunlap , + Dave Jones , + Chuck Wolber , + Chris Wedgwood , + Michael Krufky , + Chuck Ebbert , + Domenico Andreoli , + Willy Tarreau , + Rodrigo Rubira Branco , + Jake Edge , + Eugene Teo , + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + jmorris@namei.org, + greg@kroah.com, + chrisw@redhat.com, + error27@gmail.com, + Eugene Teo +Subject: [patch 58/58] unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184) +References: <20090429220659.339950874@mini.kroah.org> +Content-Disposition: inline; filename=unreached-code-in-selinux_ip_postroute_iptables_compat.patch +Content-Length: 830 +Lines: 29 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Eugene Teo + +Not upstream in 2.6.30, as the function was removed there, making this a +non-issue. + +Node and port send checks can skip in the compat_net=1 case. This bug +was introduced in commit effad8d. + +Signed-off-by: Eugene Teo +Reported-by: Dan Carpenter +Acked-by: James Morris +Acked-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4467,6 +4467,7 @@ static int selinux_ip_postroute_iptables + if (err) + return err; + err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); ++ if (err) + return err; + + err = sel_netnode_sid(addrp, family, &node_sid); + + diff --git a/queue-2.6.27/mm-check-for-no-mmaps-in-exit_mmap.patch b/review-2.6.27/mm-check-for-no-mmaps-in-exit_mmap.patch similarity index 100% rename from queue-2.6.27/mm-check-for-no-mmaps-in-exit_mmap.patch rename to review-2.6.27/mm-check-for-no-mmaps-in-exit_mmap.patch diff --git a/queue-2.6.27/net-fix-sctp-breakage.patch b/review-2.6.27/net-fix-sctp-breakage.patch similarity index 100% rename from queue-2.6.27/net-fix-sctp-breakage.patch rename to review-2.6.27/net-fix-sctp-breakage.patch diff --git a/queue-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch b/review-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch similarity index 100% rename from queue-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch rename to review-2.6.27/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch diff --git a/queue-2.6.27/pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch b/review-2.6.27/pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch similarity index 100% rename from queue-2.6.27/pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch rename to review-2.6.27/pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch diff --git a/queue-2.6.27/powerpc-sanitize-stack-pointer-in-signal-handling-code.patch b/review-2.6.27/powerpc-sanitize-stack-pointer-in-signal-handling-code.patch similarity index 100% rename from queue-2.6.27/powerpc-sanitize-stack-pointer-in-signal-handling-code.patch rename to review-2.6.27/powerpc-sanitize-stack-pointer-in-signal-handling-code.patch diff --git a/queue-2.6.27/r8169-don-t-update-statistics-counters-when-interface-is-down.patch b/review-2.6.27/r8169-don-t-update-statistics-counters-when-interface-is-down.patch similarity index 100% rename from queue-2.6.27/r8169-don-t-update-statistics-counters-when-interface-is-down.patch rename to review-2.6.27/r8169-don-t-update-statistics-counters-when-interface-is-down.patch diff --git a/queue-2.6.27/r8169-reset-intrstatus-after-chip-reset.patch b/review-2.6.27/r8169-reset-intrstatus-after-chip-reset.patch similarity index 100% rename from queue-2.6.27/r8169-reset-intrstatus-after-chip-reset.patch rename to review-2.6.27/r8169-reset-intrstatus-after-chip-reset.patch diff --git a/queue-2.6.27/r8169-use-hardware-auto-padding.patch b/review-2.6.27/r8169-use-hardware-auto-padding.patch similarity index 100% rename from queue-2.6.27/r8169-use-hardware-auto-padding.patch rename to review-2.6.27/r8169-use-hardware-auto-padding.patch diff --git a/queue-2.6.27/series b/review-2.6.27/series similarity index 100% rename from queue-2.6.27/series rename to review-2.6.27/series diff --git a/queue-2.6.27/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch b/review-2.6.27/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch similarity index 100% rename from queue-2.6.27/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch rename to review-2.6.27/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch diff --git a/queue-2.6.27/unreached-code-in-selinux_ip_postroute_iptables_compat.patch b/review-2.6.27/unreached-code-in-selinux_ip_postroute_iptables_compat.patch similarity index 100% rename from queue-2.6.27/unreached-code-in-selinux_ip_postroute_iptables_compat.patch rename to review-2.6.27/unreached-code-in-selinux_ip_postroute_iptables_compat.patch