From: Greg Kroah-Hartman Date: Fri, 4 Sep 2009 23:45:06 +0000 (-0700) Subject: start 2.6.27.32 review cycle X-Git-Tag: v2.6.27.32~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba1d8a23cc4e3fa50c7b731157ae063182a69a32;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.27.32 review cycle --- diff --git a/queue-2.6.27/alsa-hda-add-missing-vmaster-initialization-for-alc269.patch b/review-2.6.27/alsa-hda-add-missing-vmaster-initialization-for-alc269.patch similarity index 100% rename from queue-2.6.27/alsa-hda-add-missing-vmaster-initialization-for-alc269.patch rename to review-2.6.27/alsa-hda-add-missing-vmaster-initialization-for-alc269.patch diff --git a/queue-2.6.27/alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch b/review-2.6.27/alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch similarity index 100% rename from queue-2.6.27/alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch rename to review-2.6.27/alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch diff --git a/queue-2.6.27/appletalk-fix-atalk_getname-leak.patch b/review-2.6.27/appletalk-fix-atalk_getname-leak.patch similarity index 100% rename from queue-2.6.27/appletalk-fix-atalk_getname-leak.patch rename to review-2.6.27/appletalk-fix-atalk_getname-leak.patch diff --git a/queue-2.6.27/can-fix-raw_getname-leak.patch b/review-2.6.27/can-fix-raw_getname-leak.patch similarity index 100% rename from queue-2.6.27/can-fix-raw_getname-leak.patch rename to review-2.6.27/can-fix-raw_getname-leak.patch diff --git a/queue-2.6.27/clone-fix-race-between-copy_process-and-de_thread.patch b/review-2.6.27/clone-fix-race-between-copy_process-and-de_thread.patch similarity index 100% rename from queue-2.6.27/clone-fix-race-between-copy_process-and-de_thread.patch rename to review-2.6.27/clone-fix-race-between-copy_process-and-de_thread.patch diff --git a/queue-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch b/review-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch similarity index 100% rename from queue-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch rename to review-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch diff --git a/queue-2.6.27/econet-fix-econet_getname-leak.patch b/review-2.6.27/econet-fix-econet_getname-leak.patch similarity index 100% rename from queue-2.6.27/econet-fix-econet_getname-leak.patch rename to review-2.6.27/econet-fix-econet_getname-leak.patch diff --git a/queue-2.6.27/ehea-fix-napi-list-corruption-on-ifconfig-down.patch b/review-2.6.27/ehea-fix-napi-list-corruption-on-ifconfig-down.patch similarity index 100% rename from queue-2.6.27/ehea-fix-napi-list-corruption-on-ifconfig-down.patch rename to review-2.6.27/ehea-fix-napi-list-corruption-on-ifconfig-down.patch diff --git a/queue-2.6.27/irda-fix-irda_getname-leak.patch b/review-2.6.27/irda-fix-irda_getname-leak.patch similarity index 100% rename from queue-2.6.27/irda-fix-irda_getname-leak.patch rename to review-2.6.27/irda-fix-irda_getname-leak.patch diff --git a/queue-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch b/review-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch similarity index 100% rename from queue-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch rename to review-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch diff --git a/queue-2.6.27/kvm-add-mc5_misc-msr-read-support.patch b/review-2.6.27/kvm-add-mc5_misc-msr-read-support.patch similarity index 100% rename from queue-2.6.27/kvm-add-mc5_misc-msr-read-support.patch rename to review-2.6.27/kvm-add-mc5_misc-msr-read-support.patch diff --git a/queue-2.6.27/kvm-allocate-guest-memory-as-map_private-not-map_shared.patch b/review-2.6.27/kvm-allocate-guest-memory-as-map_private-not-map_shared.patch similarity index 100% rename from queue-2.6.27/kvm-allocate-guest-memory-as-map_private-not-map_shared.patch rename to review-2.6.27/kvm-allocate-guest-memory-as-map_private-not-map_shared.patch diff --git a/queue-2.6.27/kvm-don-t-call-get_user_pages.patch b/review-2.6.27/kvm-don-t-call-get_user_pages.patch similarity index 100% rename from queue-2.6.27/kvm-don-t-call-get_user_pages.patch rename to review-2.6.27/kvm-don-t-call-get_user_pages.patch diff --git a/queue-2.6.27/kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch b/review-2.6.27/kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch similarity index 100% rename from queue-2.6.27/kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch rename to review-2.6.27/kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch diff --git a/queue-2.6.27/kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch b/review-2.6.27/kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch similarity index 100% rename from queue-2.6.27/kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch rename to review-2.6.27/kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch diff --git a/queue-2.6.27/kvm-fix-pdptr-reloading-on-cr4-writes.patch b/review-2.6.27/kvm-fix-pdptr-reloading-on-cr4-writes.patch similarity index 100% rename from queue-2.6.27/kvm-fix-pdptr-reloading-on-cr4-writes.patch rename to review-2.6.27/kvm-fix-pdptr-reloading-on-cr4-writes.patch diff --git a/queue-2.6.27/kvm-load-real-mode-segments-correctly.patch b/review-2.6.27/kvm-load-real-mode-segments-correctly.patch similarity index 100% rename from queue-2.6.27/kvm-load-real-mode-segments-correctly.patch rename to review-2.6.27/kvm-load-real-mode-segments-correctly.patch diff --git a/queue-2.6.27/kvm-make-efer-reads-safe-when-efer-does-not-exist.patch b/review-2.6.27/kvm-make-efer-reads-safe-when-efer-does-not-exist.patch similarity index 100% rename from queue-2.6.27/kvm-make-efer-reads-safe-when-efer-does-not-exist.patch rename to review-2.6.27/kvm-make-efer-reads-safe-when-efer-does-not-exist.patch diff --git a/queue-2.6.27/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch b/review-2.6.27/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch similarity index 100% rename from queue-2.6.27/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch rename to review-2.6.27/kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch diff --git a/queue-2.6.27/kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch b/review-2.6.27/kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch rename to review-2.6.27/kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch diff --git a/queue-2.6.27/kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch b/review-2.6.27/kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch rename to review-2.6.27/kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch diff --git a/queue-2.6.27/kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch b/review-2.6.27/kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch rename to review-2.6.27/kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch diff --git a/queue-2.6.27/kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch b/review-2.6.27/kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch rename to review-2.6.27/kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch diff --git a/queue-2.6.27/kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch b/review-2.6.27/kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch rename to review-2.6.27/kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch diff --git a/queue-2.6.27/kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch b/review-2.6.27/kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch similarity index 100% rename from queue-2.6.27/kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch rename to review-2.6.27/kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch diff --git a/queue-2.6.27/kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch b/review-2.6.27/kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch similarity index 100% rename from queue-2.6.27/kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch rename to review-2.6.27/kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch diff --git a/queue-2.6.27/kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch b/review-2.6.27/kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch similarity index 100% rename from queue-2.6.27/kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch rename to review-2.6.27/kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch diff --git a/queue-2.6.27/kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch b/review-2.6.27/kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch similarity index 100% rename from queue-2.6.27/kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch rename to review-2.6.27/kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch diff --git a/queue-2.6.27/kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch b/review-2.6.27/kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch similarity index 100% rename from queue-2.6.27/kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch rename to review-2.6.27/kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch diff --git a/queue-2.6.27/kvm-set-debug-registers-after-schedulable-section.patch b/review-2.6.27/kvm-set-debug-registers-after-schedulable-section.patch similarity index 100% rename from queue-2.6.27/kvm-set-debug-registers-after-schedulable-section.patch rename to review-2.6.27/kvm-set-debug-registers-after-schedulable-section.patch diff --git a/queue-2.6.27/kvm-svm-remove-port-80-passthrough.patch b/review-2.6.27/kvm-svm-remove-port-80-passthrough.patch similarity index 100% rename from queue-2.6.27/kvm-svm-remove-port-80-passthrough.patch rename to review-2.6.27/kvm-svm-remove-port-80-passthrough.patch diff --git a/queue-2.6.27/kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch b/review-2.6.27/kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch similarity index 100% rename from queue-2.6.27/kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch rename to review-2.6.27/kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch diff --git a/queue-2.6.27/kvm-vmx-change-segment-dpl-at-reset-to-3.patch b/review-2.6.27/kvm-vmx-change-segment-dpl-at-reset-to-3.patch similarity index 100% rename from queue-2.6.27/kvm-vmx-change-segment-dpl-at-reset-to-3.patch rename to review-2.6.27/kvm-vmx-change-segment-dpl-at-reset-to-3.patch diff --git a/queue-2.6.27/kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch b/review-2.6.27/kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch similarity index 100% rename from queue-2.6.27/kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch rename to review-2.6.27/kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch diff --git a/queue-2.6.27/kvm-vmx-handle-vmx-instruction-vmexits.patch b/review-2.6.27/kvm-vmx-handle-vmx-instruction-vmexits.patch similarity index 100% rename from queue-2.6.27/kvm-vmx-handle-vmx-instruction-vmexits.patch rename to review-2.6.27/kvm-vmx-handle-vmx-instruction-vmexits.patch diff --git a/queue-2.6.27/kvm-vmx-set-igmt-bit-in-ept-entry.patch b/review-2.6.27/kvm-vmx-set-igmt-bit-in-ept-entry.patch similarity index 100% rename from queue-2.6.27/kvm-vmx-set-igmt-bit-in-ept-entry.patch rename to review-2.6.27/kvm-vmx-set-igmt-bit-in-ept-entry.patch diff --git a/queue-2.6.27/kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch b/review-2.6.27/kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch similarity index 100% rename from queue-2.6.27/kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch rename to review-2.6.27/kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch diff --git a/review-2.6.27/mbox b/review-2.6.27/mbox new file mode 100644 index 00000000000..38e6f2da08d --- /dev/null +++ b/review-2.6.27/mbox @@ -0,0 +1,4000 @@ +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.052613921@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:13 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Takashi Iwai +Subject: [patch 01/48] ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch +Content-Length: 3970 +Lines: 98 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Takashi Iwai + +commit a3f730af7e33cea10ea66f05b2565fde1f9512df upstream. + +This patch fixes the wrong headphone output routing for MacBookPro 3,1/4,1 +quirk with ALC889A codec, which caused the silent headphone output. +Also, this gives the individual Headphone and Speaker volume controls. + +Reference: kernel bug#14078 + http://bugzilla.kernel.org/show_bug.cgi?id=14078 + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5580,9 +5580,9 @@ static struct hda_verb alc885_mbp_ch2_in + }; + + /* +- * 6ch mode ++ * 4ch mode + */ +-static struct hda_verb alc885_mbp_ch6_init[] = { ++static struct hda_verb alc885_mbp_ch4_init[] = { + { 0x1a, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT }, + { 0x1a, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, + { 0x1a, AC_VERB_SET_CONNECT_SEL, 0x01 }, +@@ -5591,9 +5591,9 @@ static struct hda_verb alc885_mbp_ch6_in + { } /* end */ + }; + +-static struct hda_channel_mode alc885_mbp_6ch_modes[2] = { ++static struct hda_channel_mode alc885_mbp_4ch_modes[2] = { + { 2, alc885_mbp_ch2_init }, +- { 6, alc885_mbp_ch6_init }, ++ { 4, alc885_mbp_ch4_init }, + }; + + +@@ -5628,10 +5628,11 @@ static struct snd_kcontrol_new alc882_ba + }; + + static struct snd_kcontrol_new alc885_mbp3_mixer[] = { +- HDA_CODEC_VOLUME("Front Playback Volume", 0x0c, 0x00, HDA_OUTPUT), +- HDA_BIND_MUTE ("Front Playback Switch", 0x0c, 0x02, HDA_INPUT), +- HDA_CODEC_MUTE ("Speaker Playback Switch", 0x14, 0x00, HDA_OUTPUT), +- HDA_CODEC_VOLUME("Line-Out Playback Volume", 0x0d, 0x00, HDA_OUTPUT), ++ HDA_CODEC_VOLUME("Speaker Playback Volume", 0x0c, 0x00, HDA_OUTPUT), ++ HDA_BIND_MUTE ("Speaker Playback Switch", 0x0c, 0x02, HDA_INPUT), ++ HDA_CODEC_VOLUME("Headphone Playback Volume", 0x0e, 0x00, HDA_OUTPUT), ++ HDA_BIND_MUTE ("Headphone Playback Switch", 0x0e, 0x02, HDA_INPUT), ++ HDA_CODEC_VOLUME("Surround Playback Volume", 0x0d, 0x00, HDA_OUTPUT), + HDA_CODEC_VOLUME("Line Playback Volume", 0x0b, 0x02, HDA_INPUT), + HDA_CODEC_MUTE ("Line Playback Switch", 0x0b, 0x02, HDA_INPUT), + HDA_CODEC_VOLUME("Mic Playback Volume", 0x0b, 0x00, HDA_INPUT), +@@ -5879,14 +5880,18 @@ static struct hda_verb alc885_mbp3_init_ + {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_ZERO}, + {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)}, + {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(1)}, ++ /* HP mixer */ ++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_ZERO}, ++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)}, ++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(1)}, + /* Front Pin: output 0 (0x0c) */ + {0x14, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT}, + {0x14, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, + {0x14, AC_VERB_SET_CONNECT_SEL, 0x00}, +- /* HP Pin: output 0 (0x0d) */ ++ /* HP Pin: output 0 (0x0e) */ + {0x15, AC_VERB_SET_PIN_WIDGET_CONTROL, 0xc4}, +- {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE}, +- {0x15, AC_VERB_SET_CONNECT_SEL, 0x00}, ++ {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE}, ++ {0x15, AC_VERB_SET_CONNECT_SEL, 0x02}, + {0x15, AC_VERB_SET_UNSOLICITED_ENABLE, ALC880_HP_EVENT | AC_USRSP_EN}, + /* Mic (rear) pin: input vref at 80% */ + {0x18, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_VREF80}, +@@ -6326,10 +6331,11 @@ static struct alc_config_preset alc882_p + .mixers = { alc885_mbp3_mixer, alc882_chmode_mixer }, + .init_verbs = { alc885_mbp3_init_verbs, + alc880_gpio1_init_verbs }, +- .num_dacs = ARRAY_SIZE(alc882_dac_nids), ++ .num_dacs = 2, + .dac_nids = alc882_dac_nids, +- .channel_mode = alc885_mbp_6ch_modes, +- .num_channel_mode = ARRAY_SIZE(alc885_mbp_6ch_modes), ++ .hp_nid = 0x04, ++ .channel_mode = alc885_mbp_4ch_modes, ++ .num_channel_mode = ARRAY_SIZE(alc885_mbp_4ch_modes), + .input_mux = &alc882_capture_source, + .dig_out_nid = ALC882_DIGOUT_NID, + .dig_in_nid = ALC882_DIGIN_NID, + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.199599575@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:14 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oleg Nesterov , + Roland McGrath , + KAMEZAWA Hiroyuki +Subject: [patch 02/48] clone(): fix race between copy_process() and de_thread() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=clone-fix-race-between-copy_process-and-de_thread.patch +Content-Length: 3721 +Lines: 142 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Oleg Nesterov + +commit 4ab6c08336535f8c8e42cf45d7adeda882eff06e upstream. + +Spotted by Hiroshi Shimamoto who also provided the test-case below. + +copy_process() uses signal->count as a reference counter, but it is not. +This test case + + #include + #include + #include + #include + #include + #include + + void *null_thread(void *p) + { + for (;;) + sleep(1); + + return NULL; + } + + void *exec_thread(void *p) + { + execl("/bin/true", "/bin/true", NULL); + + return null_thread(p); + } + + int main(int argc, char **argv) + { + for (;;) { + pid_t pid; + int ret, status; + + pid = fork(); + if (pid < 0) + break; + + if (!pid) { + pthread_t tid; + + pthread_create(&tid, NULL, exec_thread, NULL); + for (;;) + pthread_create(&tid, NULL, null_thread, NULL); + } + + do { + ret = waitpid(pid, &status, 0); + } while (ret == -1 && errno == EINTR); + } + + return 0; + } + +quickly creates an unkillable task. + +If copy_process(CLONE_THREAD) races with de_thread() +copy_signal()->atomic(signal->count) breaks the signal->notify_count +logic, and the execing thread can hang forever in kernel space. + +Change copy_process() to increment count/live only when we know for sure +we can't fail. In this case the forked thread will take care of its +reference to signal correctly. + +If copy_process() fails, check CLONE_THREAD flag. If it it set - do +nothing, the counters were not changed and current belongs to the same +thread group. If it is not set, ->signal must be released in any case +(and ->count must be == 1), the forked child is the only thread in the +thread group. + +We need more cleanups here, in particular signal->count should not be used +by de_thread/__exit_signal at all. This patch only fixes the bug. + +Reported-by: Hiroshi Shimamoto +Tested-by: Hiroshi Shimamoto +Signed-off-by: Oleg Nesterov +Acked-by: Roland McGrath +Cc: KAMEZAWA Hiroyuki +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -767,11 +767,9 @@ static int copy_signal(unsigned long clo + struct signal_struct *sig; + int ret; + +- if (clone_flags & CLONE_THREAD) { +- atomic_inc(¤t->signal->count); +- atomic_inc(¤t->signal->live); ++ if (clone_flags & CLONE_THREAD) + return 0; +- } ++ + sig = kmem_cache_alloc(signal_cachep, GFP_KERNEL); + tsk->signal = sig; + if (!sig) +@@ -844,16 +842,6 @@ void __cleanup_signal(struct signal_stru + kmem_cache_free(signal_cachep, sig); + } + +-static void cleanup_signal(struct task_struct *tsk) +-{ +- struct signal_struct *sig = tsk->signal; +- +- atomic_dec(&sig->live); +- +- if (atomic_dec_and_test(&sig->count)) +- __cleanup_signal(sig); +-} +- + static void copy_flags(unsigned long clone_flags, struct task_struct *p) + { + unsigned long new_flags = p->flags; +@@ -1201,6 +1189,8 @@ static struct task_struct *copy_process( + } + + if (clone_flags & CLONE_THREAD) { ++ atomic_inc(¤t->signal->count); ++ atomic_inc(¤t->signal->live); + p->group_leader = current->group_leader; + list_add_tail_rcu(&p->thread_group, &p->group_leader->thread_group); + +@@ -1261,7 +1251,8 @@ bad_fork_cleanup_mm: + if (p->mm) + mmput(p->mm); + bad_fork_cleanup_signal: +- cleanup_signal(p); ++ if (!(clone_flags & CLONE_THREAD)) ++ __cleanup_signal(p->signal); + bad_fork_cleanup_sighand: + __cleanup_sighand(p->sighand); + bad_fork_cleanup_fs: + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.355960571@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:15 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Hannes Hering , + "David S. Miller" +Subject: [patch 03/48] ehea: Fix napi list corruption on ifconfig down +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=ehea-fix-napi-list-corruption-on-ifconfig-down.patch +Content-Length: 698 +Lines: 28 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Hannes Hering + +commit 357eb46d8f275b4e8484541234ea3ba06065e258 upstream. + +This patch fixes the napi list handling when an ehea interface is shut +down to avoid corruption of the napi list. + +Signed-off-by: Hannes Hering +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ehea/ehea_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ehea/ehea_main.c ++++ b/drivers/net/ehea/ehea_main.c +@@ -1530,6 +1530,9 @@ static int ehea_clean_portres(struct ehe + { + int ret, i; + ++ if (pr->qp) ++ netif_napi_del(&pr->napi); ++ + ret = ehea_destroy_qp(pr->qp); + + if (!ret) { + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.531838310@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:16 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Clemens Ladisch , + Takashi Iwai +Subject: [patch 04/48] sound: pcm_lib: fix unsorted list constraint handling +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=sound-pcm_lib-fix-unsorted-list-constraint-handling.patch +Content-Length: 2445 +Lines: 82 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Clemens Ladisch + +commit b1ddaf681e362ed453182ddee1699d7487069a16 upstream. + +snd_interval_list() expected a sorted list but did not document this, so +there are drivers that give it an unsorted list. To fix this, change +the algorithm to work with any list. + +This fixes the "Slave PCM not usable" error with USB devices that have +multiple alternate settings with sample rates in decreasing order, such +as the Philips Askey VC010 WebCam. + +http://bugzilla.kernel.org/show_bug.cgi?id=14028 + +Reported-and-tested-by: Andrzej +Signed-off-by: Clemens Ladisch +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_lib.c | 39 ++++++++------------------------------- + 1 file changed, 8 insertions(+), 31 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -779,47 +779,24 @@ static int snd_interval_ratden(struct sn + int snd_interval_list(struct snd_interval *i, unsigned int count, unsigned int *list, unsigned int mask) + { + unsigned int k; +- int changed = 0; ++ struct snd_interval list_range; + + if (!count) { + i->empty = 1; + return -EINVAL; + } ++ snd_interval_any(&list_range); ++ list_range.min = UINT_MAX; ++ list_range.max = 0; + for (k = 0; k < count; k++) { + if (mask && !(mask & (1 << k))) + continue; +- if (i->min == list[k] && !i->openmin) +- goto _l1; +- if (i->min < list[k]) { +- i->min = list[k]; +- i->openmin = 0; +- changed = 1; +- goto _l1; +- } +- } +- i->empty = 1; +- return -EINVAL; +- _l1: +- for (k = count; k-- > 0;) { +- if (mask && !(mask & (1 << k))) ++ if (!snd_interval_test(i, list[k])) + continue; +- if (i->max == list[k] && !i->openmax) +- goto _l2; +- if (i->max > list[k]) { +- i->max = list[k]; +- i->openmax = 0; +- changed = 1; +- goto _l2; +- } ++ list_range.min = min(list_range.min, list[k]); ++ list_range.max = max(list_range.max, list[k]); + } +- i->empty = 1; +- return -EINVAL; +- _l2: +- if (snd_interval_checkempty(i)) { +- i->empty = 1; +- return -EINVAL; +- } +- return changed; ++ return snd_interval_refine(i, &list_range); + } + + EXPORT_SYMBOL(snd_interval_list); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.690791337@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:17 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Trond Myklebust +Subject: [patch 05/48] SUNRPC: Fix rpc_task_force_reencode +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=sunrpc-fix-rpc_task_force_reencode.patch +Content-Length: 879 +Lines: 30 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +commit 2574cc9f4ffc6c681c9177111357efe5b76f0e36 upstream. + +This patch fixes the bug that was reported in + http://bugzilla.kernel.org/show_bug.cgi?id=14053 + +If we're in the case where we need to force a reencode and then resend of +the RPC request, due to xprt_transmit failing with a networking error, then +we _must_ retransmit the entire request. + +Signed-off-by: Trond Myklebust +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/clnt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -860,6 +860,7 @@ static inline void + rpc_task_force_reencode(struct rpc_task *task) + { + task->tk_rqstp->rq_snd_buf.len = 0; ++ task->tk_rqstp->rq_bytes_sent = 0; + } + + static inline void + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009 +Message-Id: <20090904200850.849943398@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:18 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 06/48] KVM: VMX: Change cs reset state to be a data segment +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch +Content-Length: 988 +Lines: 33 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 5706be0dafd6f42852f85fbae292301dcad4ccec) + +Real mode cs is a data segment, not a code segment. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2036,6 +2036,7 @@ static int vmx_vcpu_reset(struct kvm_vcp + + fx_init(&vmx->vcpu); + ++ seg_setup(VCPU_SREG_CS); + /* + * GUEST_CS_BASE should really be 0xffff0000, but VT vm86 mode + * insists on having GUEST_CS_BASE == GUEST_CS_SELECTOR << 4. Sigh. +@@ -2047,8 +2048,6 @@ static int vmx_vcpu_reset(struct kvm_vcp + vmcs_write16(GUEST_CS_SELECTOR, vmx->vcpu.arch.sipi_vector << 8); + vmcs_writel(GUEST_CS_BASE, vmx->vcpu.arch.sipi_vector << 12); + } +- vmcs_write32(GUEST_CS_LIMIT, 0xffff); +- vmcs_write32(GUEST_CS_AR_BYTES, 0x9b); + + seg_setup(VCPU_SREG_DS); + seg_setup(VCPU_SREG_ES); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.000111021@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:19 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 07/48] KVM: VMX: Change segment dpl at reset to 3 +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-vmx-change-segment-dpl-at-reset-to-3.patch +Content-Length: 670 +Lines: 25 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit a16b20da879430fdf245ed45461ed40ffef8db3c) + +This is more emulation friendly, if not 100% correct. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1789,7 +1789,7 @@ static void seg_setup(int seg) + vmcs_write16(sf->selector, 0); + vmcs_writel(sf->base, 0); + vmcs_write32(sf->limit, 0xffff); +- vmcs_write32(sf->ar_bytes, 0x93); ++ vmcs_write32(sf->ar_bytes, 0xf3); + } + + static int alloc_apic_access_page(struct kvm *kvm) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.157785189@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:20 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 08/48] KVM: Load real mode segments correctly +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-load-real-mode-segments-correctly.patch +Content-Length: 1236 +Lines: 51 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit f4bbd9aaaae23007e4d79536d35a30cbbb11d407) + +Real mode segments to not reference the GDT or LDT; they simply compute +base = selector * 16. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3294,11 +3294,33 @@ static int load_segment_descriptor_to_kv + return 0; + } + ++int kvm_load_realmode_segment(struct kvm_vcpu *vcpu, u16 selector, int seg) ++{ ++ struct kvm_segment segvar = { ++ .base = selector << 4, ++ .limit = 0xffff, ++ .selector = selector, ++ .type = 3, ++ .present = 1, ++ .dpl = 3, ++ .db = 0, ++ .s = 1, ++ .l = 0, ++ .g = 0, ++ .avl = 0, ++ .unusable = 0, ++ }; ++ kvm_x86_ops->set_segment(vcpu, &segvar, seg); ++ return 0; ++} ++ + int kvm_load_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector, + int type_bits, int seg) + { + struct kvm_segment kvm_seg; + ++ if (!(vcpu->arch.cr0 & X86_CR0_PE)) ++ return kvm_load_realmode_segment(vcpu, selector, seg); + if (load_segment_descriptor_to_kvm_desct(vcpu, selector, &kvm_seg)) + return 1; + kvm_seg.type |= type_bits; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.340681047@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:21 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 09/48] KVM: Allocate guest memory as MAP_PRIVATE, not MAP_SHARED +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-allocate-guest-memory-as-map_private-not-map_shared.patch +Content-Length: 699 +Lines: 25 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit acee3c04e8208c17aad1baff99baa68d71640a19) + +There is no reason to share internal memory slots with fork()ed instances. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4003,7 +4003,7 @@ int kvm_arch_set_memory_region(struct kv + userspace_addr = do_mmap(NULL, 0, + npages * PAGE_SIZE, + PROT_READ | PROT_WRITE, +- MAP_SHARED | MAP_ANONYMOUS, ++ MAP_PRIVATE | MAP_ANONYMOUS, + 0); + up_write(¤t->mm->mmap_sem); + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.493781097@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:22 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 10/48] KVM: Dont call get_user_pages(.force = 1) +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-don-t-call-get_user_pages.patch +Content-Length: 790 +Lines: 27 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit d657c7335b97d746aa6123c56504b46c20e37df3) + +This is esoteric and only needed to break COW on MAP_SHARED mappings. Since +KVM no longer does these sorts of mappings, breaking COW on them is no longer +necessary. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -726,7 +726,7 @@ pfn_t gfn_to_pfn(struct kvm *kvm, gfn_t + return page_to_pfn(bad_page); + } + +- npages = get_user_pages(current, current->mm, addr, 1, 1, 1, page, ++ npages = get_user_pages(current, current->mm, addr, 1, 1, 0, page, + NULL); + + if (unlikely(npages != 1)) { + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.629953579@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 11/48] KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch +Content-Length: 829 +Lines: 33 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 2245a28fe2e6fdb1bdabc4dcde1ea3a5c37e2a9e) + +It was generally safe due to slots_lock being held for write, but it wasn't +very nice. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2055,6 +2055,7 @@ void kvm_mmu_slot_remove_write_access(st + { + struct kvm_mmu_page *sp; + ++ spin_lock(&kvm->mmu_lock); + list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) { + int i; + u64 *pt; +@@ -2068,6 +2069,7 @@ void kvm_mmu_slot_remove_write_access(st + if (pt[i] & PT_WRITABLE_MASK) + pt[i] &= ~PT_WRITABLE_MASK; + } ++ spin_unlock(&kvm->mmu_lock); + } + + void kvm_mmu_zap_all(struct kvm *kvm) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009 +Message-Id: <20090904200851.795978998@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 12/48] KVM: MMU: Flush tlbs after clearing write permission when accessing dirty log +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch +Content-Length: 640 +Lines: 25 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 171d595d3b3254b9a952af8d1f6965d2e85dcbaa) + +Otherwise, the cpu may allow writes to the tracked pages, and we lose +some display bits or fail to migrate correctly. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2069,6 +2069,7 @@ void kvm_mmu_slot_remove_write_access(st + if (pt[i] & PT_WRITABLE_MASK) + pt[i] &= ~PT_WRITABLE_MASK; + } ++ kvm_flush_remote_tlbs(kvm); + spin_unlock(&kvm->mmu_lock); + } + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009 +Message-Id: <20090904200851.940224778@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Avi Kivity +Subject: [patch 13/48] KVM: MMU: Fix setting the accessed bit on non-speculative sptes +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch +Content-Length: 890 +Lines: 30 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 3201b5d9f0f7ef392886cd76dcd2c69186d9d5cd) + +The accessed bit was accidentally turned on in a random flag word, rather +than, the spte itself, which was lucky, since it used the non-EPT compatible +PT_ACCESSED_MASK. + +Fix by turning the bit on in the spte and changing it to use the portable +accessed mask. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1162,7 +1162,7 @@ static void mmu_set_spte(struct kvm_vcpu + */ + spte = shadow_base_present_pte | shadow_dirty_mask; + if (!speculative) +- pte_access |= PT_ACCESSED_MASK; ++ spte |= shadow_accessed_mask; + if (!dirty) + pte_access &= ~ACC_WRITE_MASK; + if (pte_access & ACC_EXEC_MASK) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009 +Message-Id: <20090904200852.199656362@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Dave Hansen , + Avi Kivity +Subject: [patch 14/48] KVM: Reduce kvm stack usage in kvm_arch_vm_ioctl() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch +Content-Length: 4518 +Lines: 164 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Dave Hansen + +(cherry picked from commit f0d662759a2465babdba1160749c446648c9d159) + +On my machine with gcc 3.4, kvm uses ~2k of stack in a few +select functions. This is mostly because gcc fails to +notice that the different case: statements could have their +stack usage combined. It overflows very nicely if interrupts +happen during one of these large uses. + +This patch uses two methods for reducing stack usage. +1. dynamically allocate large objects instead of putting + on the stack. +2. Use a union{} member for all of the case variables. This + tricks gcc into combining them all into a single stack + allocation. (There's also a comment on this) + +Signed-off-by: Dave Hansen +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 72 +++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 45 insertions(+), 27 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1630,6 +1630,15 @@ long kvm_arch_vm_ioctl(struct file *filp + struct kvm *kvm = filp->private_data; + void __user *argp = (void __user *)arg; + int r = -EINVAL; ++ /* ++ * This union makes it completely explicit to gcc-3.x ++ * that these two variables' stack usage should be ++ * combined, not added together. ++ */ ++ union { ++ struct kvm_pit_state ps; ++ struct kvm_memory_alias alias; ++ } u; + + switch (ioctl) { + case KVM_SET_TSS_ADDR: +@@ -1661,17 +1670,14 @@ long kvm_arch_vm_ioctl(struct file *filp + case KVM_GET_NR_MMU_PAGES: + r = kvm_vm_ioctl_get_nr_mmu_pages(kvm); + break; +- case KVM_SET_MEMORY_ALIAS: { +- struct kvm_memory_alias alias; +- ++ case KVM_SET_MEMORY_ALIAS: + r = -EFAULT; +- if (copy_from_user(&alias, argp, sizeof alias)) ++ if (copy_from_user(&u.alias, argp, sizeof(struct kvm_memory_alias))) + goto out; +- r = kvm_vm_ioctl_set_memory_alias(kvm, &alias); ++ r = kvm_vm_ioctl_set_memory_alias(kvm, &u.alias); + if (r) + goto out; + break; +- } + case KVM_CREATE_IRQCHIP: + r = -ENOMEM; + kvm->arch.vpic = kvm_create_pic(kvm); +@@ -1713,65 +1719,77 @@ long kvm_arch_vm_ioctl(struct file *filp + } + case KVM_GET_IRQCHIP: { + /* 0: PIC master, 1: PIC slave, 2: IOAPIC */ +- struct kvm_irqchip chip; ++ struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL); + +- r = -EFAULT; +- if (copy_from_user(&chip, argp, sizeof chip)) ++ r = -ENOMEM; ++ if (!chip) + goto out; ++ r = -EFAULT; ++ if (copy_from_user(chip, argp, sizeof *chip)) ++ goto get_irqchip_out; + r = -ENXIO; + if (!irqchip_in_kernel(kvm)) +- goto out; +- r = kvm_vm_ioctl_get_irqchip(kvm, &chip); ++ goto get_irqchip_out; ++ r = kvm_vm_ioctl_get_irqchip(kvm, chip); + if (r) +- goto out; ++ goto get_irqchip_out; + r = -EFAULT; +- if (copy_to_user(argp, &chip, sizeof chip)) +- goto out; ++ if (copy_to_user(argp, chip, sizeof *chip)) ++ goto get_irqchip_out; + r = 0; ++ get_irqchip_out: ++ kfree(chip); ++ if (r) ++ goto out; + break; + } + case KVM_SET_IRQCHIP: { + /* 0: PIC master, 1: PIC slave, 2: IOAPIC */ +- struct kvm_irqchip chip; ++ struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL); + +- r = -EFAULT; +- if (copy_from_user(&chip, argp, sizeof chip)) ++ r = -ENOMEM; ++ if (!chip) + goto out; ++ r = -EFAULT; ++ if (copy_from_user(chip, argp, sizeof *chip)) ++ goto set_irqchip_out; + r = -ENXIO; + if (!irqchip_in_kernel(kvm)) +- goto out; +- r = kvm_vm_ioctl_set_irqchip(kvm, &chip); ++ goto set_irqchip_out; ++ r = kvm_vm_ioctl_set_irqchip(kvm, chip); + if (r) +- goto out; ++ goto set_irqchip_out; + r = 0; ++ set_irqchip_out: ++ kfree(chip); ++ if (r) ++ goto out; + break; + } + case KVM_GET_PIT: { +- struct kvm_pit_state ps; + r = -EFAULT; +- if (copy_from_user(&ps, argp, sizeof ps)) ++ if (copy_from_user(&u.ps, argp, sizeof(struct kvm_pit_state))) + goto out; + r = -ENXIO; + if (!kvm->arch.vpit) + goto out; +- r = kvm_vm_ioctl_get_pit(kvm, &ps); ++ r = kvm_vm_ioctl_get_pit(kvm, &u.ps); + if (r) + goto out; + r = -EFAULT; +- if (copy_to_user(argp, &ps, sizeof ps)) ++ if (copy_to_user(argp, &u.ps, sizeof(struct kvm_pit_state))) + goto out; + r = 0; + break; + } + case KVM_SET_PIT: { +- struct kvm_pit_state ps; + r = -EFAULT; +- if (copy_from_user(&ps, argp, sizeof ps)) ++ if (copy_from_user(&u.ps, argp, sizeof u.ps)) + goto out; + r = -ENXIO; + if (!kvm->arch.vpit) + goto out; +- r = kvm_vm_ioctl_set_pit(kvm, &ps); ++ r = kvm_vm_ioctl_set_pit(kvm, &u.ps); + if (r) + goto out; + r = 0; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009 +Message-Id: <20090904200852.437826917@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Dave Hansen , + Avi Kivity +Subject: [patch 15/48] KVM: Reduce stack usage in kvm_vcpu_ioctl() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch +Content-Length: 2817 +Lines: 109 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Dave Hansen + +(cherry picked from commit fa3795a7308df099f0f2c9e5ca2c20a5ff65bdc4) + +Signed-off-by: Dave Hansen +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 46 ++++++++++++++++++++++++++++------------------ + 1 file changed, 28 insertions(+), 18 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1118,6 +1118,8 @@ static long kvm_vcpu_ioctl(struct file * + struct kvm_vcpu *vcpu = filp->private_data; + void __user *argp = (void __user *)arg; + int r; ++ struct kvm_fpu *fpu = NULL; ++ struct kvm_sregs *kvm_sregs = NULL; + + if (vcpu->kvm->mm != current->mm) + return -EIO; +@@ -1165,25 +1167,28 @@ out_free2: + break; + } + case KVM_GET_SREGS: { +- struct kvm_sregs kvm_sregs; +- +- memset(&kvm_sregs, 0, sizeof kvm_sregs); +- r = kvm_arch_vcpu_ioctl_get_sregs(vcpu, &kvm_sregs); ++ kvm_sregs = kzalloc(sizeof(struct kvm_sregs), GFP_KERNEL); ++ r = -ENOMEM; ++ if (!kvm_sregs) ++ goto out; ++ r = kvm_arch_vcpu_ioctl_get_sregs(vcpu, kvm_sregs); + if (r) + goto out; + r = -EFAULT; +- if (copy_to_user(argp, &kvm_sregs, sizeof kvm_sregs)) ++ if (copy_to_user(argp, kvm_sregs, sizeof(struct kvm_sregs))) + goto out; + r = 0; + break; + } + case KVM_SET_SREGS: { +- struct kvm_sregs kvm_sregs; +- ++ kvm_sregs = kmalloc(sizeof(struct kvm_sregs), GFP_KERNEL); ++ r = -ENOMEM; ++ if (!kvm_sregs) ++ goto out; + r = -EFAULT; +- if (copy_from_user(&kvm_sregs, argp, sizeof kvm_sregs)) ++ if (copy_from_user(kvm_sregs, argp, sizeof(struct kvm_sregs))) + goto out; +- r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, &kvm_sregs); ++ r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs); + if (r) + goto out; + r = 0; +@@ -1264,25 +1269,28 @@ out_free2: + break; + } + case KVM_GET_FPU: { +- struct kvm_fpu fpu; +- +- memset(&fpu, 0, sizeof fpu); +- r = kvm_arch_vcpu_ioctl_get_fpu(vcpu, &fpu); ++ fpu = kzalloc(sizeof(struct kvm_fpu), GFP_KERNEL); ++ r = -ENOMEM; ++ if (!fpu) ++ goto out; ++ r = kvm_arch_vcpu_ioctl_get_fpu(vcpu, fpu); + if (r) + goto out; + r = -EFAULT; +- if (copy_to_user(argp, &fpu, sizeof fpu)) ++ if (copy_to_user(argp, fpu, sizeof(struct kvm_fpu))) + goto out; + r = 0; + break; + } + case KVM_SET_FPU: { +- struct kvm_fpu fpu; +- ++ fpu = kmalloc(sizeof(struct kvm_fpu), GFP_KERNEL); ++ r = -ENOMEM; ++ if (!fpu) ++ goto out; + r = -EFAULT; +- if (copy_from_user(&fpu, argp, sizeof fpu)) ++ if (copy_from_user(fpu, argp, sizeof(struct kvm_fpu))) + goto out; +- r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, &fpu); ++ r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu); + if (r) + goto out; + r = 0; +@@ -1292,6 +1300,8 @@ out_free2: + r = kvm_arch_vcpu_ioctl(filp, ioctl, arg); + } + out: ++ kfree(fpu); ++ kfree(kvm_sregs); + return r; + } + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009 +Message-Id: <20090904200852.685554919@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sheng Yang , + Avi Kivity , + Dave Hansen , + Avi Kivity +Subject: [patch 16/48] KVM: Reduce stack usage in kvm_arch_vcpu_ioctl() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch +Content-Length: 1810 +Lines: 69 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Dave Hansen + +(cherry picked from commit b772ff362ec6b821c8a5227a3355e263f917bfad) + +[sheng: fix KVM_GET_LAPIC using wrong size] + +Signed-off-by: Dave Hansen +Signed-off-by: Sheng Yang +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1303,28 +1303,33 @@ long kvm_arch_vcpu_ioctl(struct file *fi + struct kvm_vcpu *vcpu = filp->private_data; + void __user *argp = (void __user *)arg; + int r; ++ struct kvm_lapic_state *lapic = NULL; + + switch (ioctl) { + case KVM_GET_LAPIC: { +- struct kvm_lapic_state lapic; ++ lapic = kzalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL); + +- memset(&lapic, 0, sizeof lapic); +- r = kvm_vcpu_ioctl_get_lapic(vcpu, &lapic); ++ r = -ENOMEM; ++ if (!lapic) ++ goto out; ++ r = kvm_vcpu_ioctl_get_lapic(vcpu, lapic); + if (r) + goto out; + r = -EFAULT; +- if (copy_to_user(argp, &lapic, sizeof lapic)) ++ if (copy_to_user(argp, lapic, sizeof(struct kvm_lapic_state))) + goto out; + r = 0; + break; + } + case KVM_SET_LAPIC: { +- struct kvm_lapic_state lapic; +- ++ lapic = kmalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL); ++ r = -ENOMEM; ++ if (!lapic) ++ goto out; + r = -EFAULT; +- if (copy_from_user(&lapic, argp, sizeof lapic)) ++ if (copy_from_user(lapic, argp, sizeof(struct kvm_lapic_state))) + goto out; +- r = kvm_vcpu_ioctl_set_lapic(vcpu, &lapic);; ++ r = kvm_vcpu_ioctl_set_lapic(vcpu, lapic); + if (r) + goto out; + r = 0; +@@ -1422,6 +1427,8 @@ long kvm_arch_vcpu_ioctl(struct file *fi + r = -EINVAL; + } + out: ++ if (lapic) ++ kfree(lapic); + return r; + } + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009 +Message-Id: <20090904200852.821221381@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Dave Hansen , + Avi Kivity +Subject: [patch 17/48] KVM: Reduce stack usage in kvm_pv_mmu_op() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch +Content-Length: 2848 +Lines: 99 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Dave Hansen + +(cherry picked from commit 6ad18fba05228fb1d47cdbc0339fe8b3fca1ca26) + +We're in a hot path. We can't use kmalloc() because +it might impact performance. So, we just stick the buffer that +we need into the kvm_vcpu_arch structure. This is used very +often, so it is not really a waste. + +We also have to move the buffer structure's definition to the +arch-specific x86 kvm header. + +Signed-off-by: Dave Hansen +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 23 ++++++++--------------- + include/asm-x86/kvm_host.h | 10 ++++++++++ + 2 files changed, 18 insertions(+), 15 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -135,13 +135,6 @@ module_param(dbg, bool, 0644); + #define ACC_USER_MASK PT_USER_MASK + #define ACC_ALL (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK) + +-struct kvm_pv_mmu_op_buffer { +- void *ptr; +- unsigned len; +- unsigned processed; +- char buf[512] __aligned(sizeof(long)); +-}; +- + struct kvm_rmap_desc { + u64 *shadow_ptes[RMAP_EXT]; + struct kvm_rmap_desc *more; +@@ -2294,18 +2287,18 @@ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, + gpa_t addr, unsigned long *ret) + { + int r; +- struct kvm_pv_mmu_op_buffer buffer; ++ struct kvm_pv_mmu_op_buffer *buffer = &vcpu->arch.mmu_op_buffer; + +- buffer.ptr = buffer.buf; +- buffer.len = min_t(unsigned long, bytes, sizeof buffer.buf); +- buffer.processed = 0; ++ buffer->ptr = buffer->buf; ++ buffer->len = min_t(unsigned long, bytes, sizeof buffer->buf); ++ buffer->processed = 0; + +- r = kvm_read_guest(vcpu->kvm, addr, buffer.buf, buffer.len); ++ r = kvm_read_guest(vcpu->kvm, addr, buffer->buf, buffer->len); + if (r) + goto out; + +- while (buffer.len) { +- r = kvm_pv_mmu_op_one(vcpu, &buffer); ++ while (buffer->len) { ++ r = kvm_pv_mmu_op_one(vcpu, buffer); + if (r < 0) + goto out; + if (r == 0) +@@ -2314,7 +2307,7 @@ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, + + r = 1; + out: +- *ret = buffer.processed; ++ *ret = buffer->processed; + return r; + } + +--- a/include/asm-x86/kvm_host.h ++++ b/include/asm-x86/kvm_host.h +@@ -195,6 +195,13 @@ struct kvm_mmu_page { + }; + }; + ++struct kvm_pv_mmu_op_buffer { ++ void *ptr; ++ unsigned len; ++ unsigned processed; ++ char buf[512] __aligned(sizeof(long)); ++}; ++ + /* + * x86 supports 3 paging modes (4-level 64-bit, 3-level 64-bit, and 2-level + * 32-bit). The kvm_mmu structure abstracts the details of the current mmu +@@ -237,6 +244,9 @@ struct kvm_vcpu_arch { + bool tpr_access_reporting; + + struct kvm_mmu mmu; ++ /* only needed in kvm_pv_mmu_op() path, but it's hot so ++ * put it here to avoid allocation */ ++ struct kvm_pv_mmu_op_buffer mmu_op_buffer; + + struct kvm_mmu_memory_cache mmu_pte_chain_cache; + struct kvm_mmu_memory_cache mmu_rmap_desc_cache; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200852.974946650@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Joerg Roedel , + Avi Kivity , + Avi Kivity +Subject: [patch 18/48] KVM: add MC5_MISC msr read support +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-add-mc5_misc-msr-read-support.patch +Content-Length: 819 +Lines: 27 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Joerg Roedel + +(cherry picked from commit a89c1ad270ca7ad0eec2667bc754362ce7b142be) + +Currently KVM implements MC0-MC4_MISC read support. When booting Linux this +results in KVM warnings in the kernel log when the guest tries to read +MC5_MISC. Fix this warnings with this patch. + +Signed-off-by: Joerg Roedel +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -752,6 +752,7 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_MC0_MISC+8: + case MSR_IA32_MC0_MISC+12: + case MSR_IA32_MC0_MISC+16: ++ case MSR_IA32_MC0_MISC+20: + case MSR_IA32_UCODE_REV: + case MSR_IA32_EBL_CR_POWERON: + data = 0; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.134480901@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Marcelo Tosatti , + Avi Kivity , + Avi Kivity +Subject: [patch 19/48] KVM: set debug registers after "schedulable" section +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-set-debug-registers-after-schedulable-section.patch +Content-Length: 1272 +Lines: 50 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Marcelo Tosatti + +(cherry picked from commit 29415c37f043d1d54dcf356601d738ff6633b72b) + +The vcpu thread can be preempted after the guest_debug_pre() callback, +resulting in invalid debug registers on the new vcpu. + +Move it inside the non-preemptable section. + +Signed-off-by: Marcelo Tosatti +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2839,10 +2839,6 @@ static int __vcpu_run(struct kvm_vcpu *v + down_read(&vcpu->kvm->slots_lock); + vapic_enter(vcpu); + +-preempted: +- if (vcpu->guest_debug.enabled) +- kvm_x86_ops->guest_debug_pre(vcpu); +- + again: + if (vcpu->requests) + if (test_and_clear_bit(KVM_REQ_MMU_RELOAD, &vcpu->requests)) +@@ -2896,6 +2892,9 @@ again: + goto out; + } + ++ if (vcpu->guest_debug.enabled) ++ kvm_x86_ops->guest_debug_pre(vcpu); ++ + vcpu->guest_mode = 1; + /* + * Make sure that guest_mode assignment won't happen after +@@ -2970,7 +2969,7 @@ out: + if (r > 0) { + kvm_resched(vcpu); + down_read(&vcpu->kvm->slots_lock); +- goto preempted; ++ goto again; + } + + post_kvm_run_save(vcpu, kvm_run); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.292609785@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:32 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Marcelo Tosatti , + avi@redhat.com +Subject: [patch 20/48] KVM: MMU: increase per-vcpu rmap cache alloc size +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch +Content-Length: 959 +Lines: 33 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Marcelo Tosatti + +(cherry picked from commit c41ef344de212bd918f7765af21b5008628c03e0) + +The page fault path can use two rmap_desc structures, if: + +- walk_addr's dirty pte update allocates one rmap_desc. +- mmu_lock is dropped, sptes are zapped resulting in rmap_desc being + freed. +- fetch->mmu_set_spte allocates another rmap_desc. + +Increase to 4 for safety. + +Signed-off-by: Marcelo Tosatti +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -298,7 +298,7 @@ static int mmu_topup_memory_caches(struc + if (r) + goto out; + r = mmu_topup_memory_cache(&vcpu->arch.mmu_rmap_desc_cache, +- rmap_desc_cache, 1); ++ rmap_desc_cache, 4); + if (r) + goto out; + r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.421933556@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:33 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Sheng Yang +Subject: [patch 21/48] KVM: VMX: Set IGMT bit in EPT entry +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-vmx-set-igmt-bit-in-ept-entry.patch +Content-Length: 1541 +Lines: 44 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Sheng Yang + +(cherry picked from commit 928d4bf747e9c290b690ff515d8f81e8ee226d97) + +There is a potential issue that, when guest using pagetable without vmexit when +EPT enabled, guest would use PAT/PCD/PWT bits to index PAT msr for it's memory, +which would be inconsistent with host side and would cause host MCE due to +inconsistent cache attribute. + +The patch set IGMT bit in EPT entry to ignore guest PAT and use WB as default +memory type to protect host (notice that all memory mapped by KVM should be WB). + +Signed-off-by: Sheng Yang +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 3 ++- + arch/x86/kvm/vmx.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3299,7 +3299,8 @@ static int __init vmx_init(void) + bypass_guest_pf = 0; + kvm_mmu_set_base_ptes(VMX_EPT_READABLE_MASK | + VMX_EPT_WRITABLE_MASK | +- VMX_EPT_DEFAULT_MT << VMX_EPT_MT_EPTE_SHIFT); ++ VMX_EPT_DEFAULT_MT << VMX_EPT_MT_EPTE_SHIFT | ++ VMX_EPT_IGMT_BIT); + kvm_mmu_set_mask_ptes(0ull, 0ull, 0ull, 0ull, + VMX_EPT_EXECUTABLE_MASK); + kvm_enable_tdp(); +--- a/arch/x86/kvm/vmx.h ++++ b/arch/x86/kvm/vmx.h +@@ -370,6 +370,7 @@ enum vmcs_field { + #define VMX_EPT_READABLE_MASK 0x1ull + #define VMX_EPT_WRITABLE_MASK 0x2ull + #define VMX_EPT_EXECUTABLE_MASK 0x4ull ++#define VMX_EPT_IGMT_BIT (1ull << 6) + + #define VMX_EPT_IDENTITY_PAGETABLE_ADDR 0xfffbc000ul + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.572336618@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:34 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Glauber Costa , + avi@redhat.com +Subject: [patch 22/48] KVM: Dont destroy vcpu in case vcpu_setup fails +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch +Content-Length: 1347 +Lines: 47 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Glauber Costa + +(cherry picked from commit 7d8fece678c1abc2ca3e1ceda2277c3538a9161c) + +One of vcpu_setup responsibilities is to do mmu initialization. +However, in case we fail in kvm_arch_vcpu_reset, before we get the +chance to init mmu. OTOH, vcpu_destroy will attempt to destroy mmu, +triggering a bug. Keeping track of whether or not mmu is initialized +would unnecessarily complicate things. Rather, we just make return, +making sure any needed uninitialization is done before we return, in +case we fail. + +Signed-off-by: Glauber Costa +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1074,12 +1074,11 @@ static int kvm_vm_ioctl_create_vcpu(stru + + r = kvm_arch_vcpu_setup(vcpu); + if (r) +- goto vcpu_destroy; ++ return r; + + mutex_lock(&kvm->lock); + if (kvm->vcpus[n]) { + r = -EEXIST; +- mutex_unlock(&kvm->lock); + goto vcpu_destroy; + } + kvm->vcpus[n] = vcpu; +@@ -1095,8 +1094,8 @@ static int kvm_vm_ioctl_create_vcpu(stru + unlink: + mutex_lock(&kvm->lock); + kvm->vcpus[n] = NULL; +- mutex_unlock(&kvm->lock); + vcpu_destroy: ++ mutex_unlock(&kvm->lock); + kvm_arch_vcpu_destroy(vcpu); + return r; + } + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.702476063@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:35 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 23/48] KVM: VMX: Dont allow uninhibited access to EFER on i386 +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch +Content-Length: 989 +Lines: 35 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 16175a796d061833aacfbd9672235f2d2725df65) + +vmx_set_msr() does not allow i386 guests to touch EFER, but they can still +do so through the default: label in the switch. If they set EFER_LME, they +can oops the host. + +Fix by having EFER access through the normal channel (which will check for +EFER_LME) even on i386. + +Reported-and-tested-by: Benjamin Gilbert +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -898,11 +898,11 @@ static int vmx_set_msr(struct kvm_vcpu * + int ret = 0; + + switch (msr_index) { +-#ifdef CONFIG_X86_64 + case MSR_EFER: + vmx_load_host_state(vmx); + ret = kvm_set_msr_common(vcpu, msr_index, data); + break; ++#ifdef CONFIG_X86_64 + case MSR_FS_BASE: + vmcs_writel(GUEST_FS_BASE, data); + break; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009 +Message-Id: <20090904200853.830967661@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:36 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 24/48] KVM: SVM: Remove port 80 passthrough +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-svm-remove-port-80-passthrough.patch +Content-Length: 966 +Lines: 30 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit 99f85a28a78e96d28907fe036e1671a218fee597) + +KVM optimizes guest port 80 accesses by passthing them through to the host. +Some AMD machines die on port 80 writes, allowing the guest to hard-lock the +host. + +Remove the port passthrough to avoid the problem. + +Reported-by: Piotr Jaroszyński +Tested-by: Piotr Jaroszyński +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -429,7 +429,6 @@ static __init int svm_hardware_setup(voi + + iopm_va = page_address(iopm_pages); + memset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER)); +- clear_bit(0x80, iopm_va); /* allow direct access to PC debug port */ + iopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT; + + if (boot_cpu_has(X86_FEATURE_NX)) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200853.967007512@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:37 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 25/48] KVM: Make EFER reads safe when EFER does not exist +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-make-efer-reads-safe-when-efer-does-not-exist.patch +Content-Length: 663 +Lines: 29 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit e286e86e6d2042d67d09244aa0e05ffef75c9d54) + +Some processors don't have EFER; don't oops if userspace wants us to +read EFER when we check NX. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -983,9 +983,9 @@ void kvm_arch_vcpu_put(struct kvm_vcpu * + + static int is_efer_nx(void) + { +- u64 efer; ++ unsigned long long efer = 0; + +- rdmsrl(MSR_EFER, efer); ++ rdmsrl_safe(MSR_EFER, &efer); + return efer & EFER_NX; + } + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200854.115208548@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:38 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 26/48] KVM: VMX: Handle vmx instruction vmexits +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-vmx-handle-vmx-instruction-vmexits.patch +Content-Length: 1815 +Lines: 48 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit e3c7cb6ad7191e92ba89d00a7ae5f5dd1ca0c214) + +IF a guest tries to use vmx instructions, inject a #UD to let it know the +instruction is not implemented, rather than crashing. + +This prevents guest userspace from crashing the guest kernel. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2582,6 +2582,12 @@ static int handle_vmcall(struct kvm_vcpu + return 1; + } + ++static int handle_vmx_insn(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ + static int handle_wbinvd(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) + { + skip_emulated_instruction(vcpu); +@@ -2714,6 +2720,15 @@ static int (*kvm_vmx_exit_handlers[])(st + [EXIT_REASON_PENDING_INTERRUPT] = handle_interrupt_window, + [EXIT_REASON_HLT] = handle_halt, + [EXIT_REASON_VMCALL] = handle_vmcall, ++ [EXIT_REASON_VMCLEAR] = handle_vmx_insn, ++ [EXIT_REASON_VMLAUNCH] = handle_vmx_insn, ++ [EXIT_REASON_VMPTRLD] = handle_vmx_insn, ++ [EXIT_REASON_VMPTRST] = handle_vmx_insn, ++ [EXIT_REASON_VMREAD] = handle_vmx_insn, ++ [EXIT_REASON_VMRESUME] = handle_vmx_insn, ++ [EXIT_REASON_VMWRITE] = handle_vmx_insn, ++ [EXIT_REASON_VMOFF] = handle_vmx_insn, ++ [EXIT_REASON_VMON] = handle_vmx_insn, + [EXIT_REASON_TPR_BELOW_THRESHOLD] = handle_tpr_below_threshold, + [EXIT_REASON_APIC_ACCESS] = handle_apic_access, + [EXIT_REASON_WBINVD] = handle_wbinvd, + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200854.271909531@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:39 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 27/48] KVM: Make paravirt tlb flush also reload the PAE PDPTRs +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch +Content-Length: 809 +Lines: 28 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb) + +The paravirt tlb flush may be used not only to flush TLBs, but also +to reload the four page-directory-pointer-table entries, as it is used +as a replacement for reloading CR3. Change the code to do the entire +CR3 reloading dance instead of simply flushing the TLB. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2233,7 +2233,7 @@ static int kvm_pv_mmu_write(struct kvm_v + + static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu) + { +- kvm_x86_ops->tlb_flush(vcpu); ++ kvm_set_cr3(vcpu, vcpu->arch.cr3); + return 1; + } + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200854.433072752@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:40 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity +Subject: [patch 28/48] KVM: Fix PDPTR reloading on CR4 writes +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-fix-pdptr-reloading-on-cr4-writes.patch +Content-Length: 1618 +Lines: 45 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +(cherry picked from commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9) + +The processor is documented to reload the PDPTRs while in PAE mode if any +of the CR4 bits PSE, PGE, or PAE change. Linux relies on this +behaviour when zapping the low mappings of PAE kernels during boot. + +The code already handled changes to CR4.PAE; augment it to also notice changes +to PSE and PGE. + +This triggered while booting an F11 PAE kernel; the futex initialization code +runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem +ended up uninitialized, killing PI futexes and pulseaudio which uses them. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -318,6 +318,9 @@ EXPORT_SYMBOL_GPL(kvm_lmsw); + + void kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { ++ unsigned long old_cr4 = vcpu->arch.cr4; ++ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE; ++ + if (cr4 & CR4_RESERVED_BITS) { + printk(KERN_DEBUG "set_cr4: #GP, reserved bits\n"); + kvm_inject_gp(vcpu, 0); +@@ -331,7 +334,8 @@ void kvm_set_cr4(struct kvm_vcpu *vcpu, + kvm_inject_gp(vcpu, 0); + return; + } +- } else if (is_paging(vcpu) && !is_pae(vcpu) && (cr4 & X86_CR4_PAE) ++ } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) ++ && ((cr4 ^ old_cr4) & pdptr_bits) + && !load_pdptrs(vcpu, vcpu->arch.cr3)) { + printk(KERN_DEBUG "set_cr4: #GP, pdptrs reserved bits\n"); + kvm_inject_gp(vcpu, 0); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200854.584125547@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:41 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + avi@redhat.com, + Gleb Natapov +Subject: [patch 29/48] KVM: MMU: do not free active mmu pages in free_mmu_pages() +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch +Content-Length: 1314 +Lines: 45 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Gleb Natapov + +(cherry picked from commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e) + +free_mmu_pages() should only undo what alloc_mmu_pages() does. +Free mmu pages from the generic VM destruction function, kvm_destroy_vm(). + +Signed-off-by: Gleb Natapov +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 8 -------- + virt/kvm/kvm_main.c | 2 ++ + 2 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1976,14 +1976,6 @@ EXPORT_SYMBOL_GPL(kvm_disable_tdp); + + static void free_mmu_pages(struct kvm_vcpu *vcpu) + { +- struct kvm_mmu_page *sp; +- +- while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) { +- sp = container_of(vcpu->kvm->arch.active_mmu_pages.next, +- struct kvm_mmu_page, link); +- kvm_mmu_zap_page(vcpu->kvm, sp); +- cond_resched(); +- } + free_page((unsigned long)vcpu->arch.mmu.pae_root); + } + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -406,6 +406,8 @@ static void kvm_destroy_vm(struct kvm *k + #endif + #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER) + mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm); ++#else ++ kvm_arch_flush_shadow(kvm); + #endif + kvm_arch_destroy_vm(kvm); + mmdrop(mm); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009 +Message-Id: <20090904200854.746551563@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:42 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Izik Eidus , + avi@redhat.com +Subject: [patch 30/48] KVM: Fix dirty bit tracking for slots with large pages +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch +Content-Length: 791 +Lines: 30 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Izik Eidus + +(cherry picked from commit e244584fe3a5c20deddeca246548ac86dbc6e1d1) + +When slot is already allocated and being asked to be tracked we need +to break the large pages. + +This code flush the mmu when someone ask a slot to start dirty bit +tracking. + +Signed-off-by: Izik Eidus +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -550,6 +550,8 @@ int __kvm_set_memory_region(struct kvm * + if (!new.dirty_bitmap) + goto out_free; + memset(new.dirty_bitmap, 0, dirty_bytes); ++ if (old.npages) ++ kvm_arch_flush_shadow(kvm); + } + #endif /* not defined CONFIG_S390 */ + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200854.878903295@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:43 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Marcelo Tosatti , + avi@redhat.com +Subject: [patch 31/48] KVM: x86: check for cr3 validity in mmu_alloc_roots +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch +Content-Length: 2734 +Lines: 96 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Marcelo Tosatti + +(cherry picked from commit 8986ecc0ef58c96eec48d8502c048f3ab67fd8e2) + +Verify the cr3 address stored in vcpu->arch.cr3 points to an existant +memslot. If not, inject a triple fault. + +Signed-off-by: Marcelo Tosatti +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 25 ++++++++++++++++++++++--- + arch/x86/kvm/x86.c | 1 + + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1350,7 +1350,19 @@ static void mmu_free_roots(struct kvm_vc + vcpu->arch.mmu.root_hpa = INVALID_PAGE; + } + +-static void mmu_alloc_roots(struct kvm_vcpu *vcpu) ++static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn) ++{ ++ int ret = 0; ++ ++ if (!kvm_is_visible_gfn(vcpu->kvm, root_gfn)) { ++ set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests); ++ ret = 1; ++ } ++ ++ return ret; ++} ++ ++static int mmu_alloc_roots(struct kvm_vcpu *vcpu) + { + int i; + gfn_t root_gfn; +@@ -1365,13 +1377,15 @@ static void mmu_alloc_roots(struct kvm_v + ASSERT(!VALID_PAGE(root)); + if (tdp_enabled) + metaphysical = 1; ++ if (mmu_check_root(vcpu, root_gfn)) ++ return 1; + sp = kvm_mmu_get_page(vcpu, root_gfn, 0, + PT64_ROOT_LEVEL, metaphysical, + ACC_ALL, NULL); + root = __pa(sp->spt); + ++sp->root_count; + vcpu->arch.mmu.root_hpa = root; +- return; ++ return 0; + } + metaphysical = !is_paging(vcpu); + if (tdp_enabled) +@@ -1388,6 +1402,8 @@ static void mmu_alloc_roots(struct kvm_v + root_gfn = vcpu->arch.pdptrs[i] >> PAGE_SHIFT; + } else if (vcpu->arch.mmu.root_level == 0) + root_gfn = 0; ++ if (mmu_check_root(vcpu, root_gfn)) ++ return 1; + sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, + PT32_ROOT_LEVEL, metaphysical, + ACC_ALL, NULL); +@@ -1396,6 +1412,7 @@ static void mmu_alloc_roots(struct kvm_v + vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK; + } + vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root); ++ return 0; + } + + static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr) +@@ -1639,8 +1656,10 @@ int kvm_mmu_load(struct kvm_vcpu *vcpu) + goto out; + spin_lock(&vcpu->kvm->mmu_lock); + kvm_mmu_free_some_pages(vcpu); +- mmu_alloc_roots(vcpu); ++ r = mmu_alloc_roots(vcpu); + spin_unlock(&vcpu->kvm->mmu_lock); ++ if (r) ++ goto out; + kvm_x86_ops->set_cr3(vcpu, vcpu->arch.mmu.root_hpa); + kvm_mmu_flush_tlb(vcpu); + out: +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4073,6 +4073,7 @@ int kvm_arch_set_memory_region(struct kv + void kvm_arch_flush_shadow(struct kvm *kvm) + { + kvm_mmu_zap_all(kvm); ++ kvm_reload_remote_mmus(kvm); + } + + int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.017632732@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:44 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Marcelo Tosatti , + avi@redhat.com +Subject: [patch 32/48] KVM: MMU: protect kvm_mmu_change_mmu_pages with mmu_lock +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch +Content-Length: 2209 +Lines: 78 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Marcelo Tosatti + +(cherry picked from commit 7c8a83b75a38a807d37f5a4398eca2a42c8cf513) + +kvm_handle_hva, called by MMU notifiers, manipulates mmu data only with +the protection of mmu_lock. + +Update kvm_mmu_change_mmu_pages callers to take mmu_lock, thus protecting +against kvm_handle_hva. + +Signed-off-by: Marcelo Tosatti +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 -- + arch/x86/kvm/x86.c | 6 ++++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2059,7 +2059,6 @@ void kvm_mmu_slot_remove_write_access(st + { + struct kvm_mmu_page *sp; + +- spin_lock(&kvm->mmu_lock); + list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) { + int i; + u64 *pt; +@@ -2074,7 +2073,6 @@ void kvm_mmu_slot_remove_write_access(st + pt[i] &= ~PT_WRITABLE_MASK; + } + kvm_flush_remote_tlbs(kvm); +- spin_unlock(&kvm->mmu_lock); + } + + void kvm_mmu_zap_all(struct kvm *kvm) +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1454,10 +1454,12 @@ static int kvm_vm_ioctl_set_nr_mmu_pages + return -EINVAL; + + down_write(&kvm->slots_lock); ++ spin_lock(&kvm->mmu_lock); + + kvm_mmu_change_mmu_pages(kvm, kvm_nr_mmu_pages); + kvm->arch.n_requested_mmu_pages = kvm_nr_mmu_pages; + ++ spin_unlock(&kvm->mmu_lock); + up_write(&kvm->slots_lock); + return 0; + } +@@ -1624,7 +1626,9 @@ int kvm_vm_ioctl_get_dirty_log(struct kv + + /* If nothing is dirty, don't bother messing with page tables. */ + if (is_dirty) { ++ spin_lock(&kvm->mmu_lock); + kvm_mmu_slot_remove_write_access(kvm, log->slot); ++ spin_unlock(&kvm->mmu_lock); + kvm_flush_remote_tlbs(kvm); + memslot = &kvm->memslots[log->slot]; + n = ALIGN(memslot->npages, BITS_PER_LONG) / 8; +@@ -4059,12 +4063,14 @@ int kvm_arch_set_memory_region(struct kv + } + } + ++ spin_lock(&kvm->mmu_lock); + if (!kvm->arch.n_requested_mmu_pages) { + unsigned int nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm); + kvm_mmu_change_mmu_pages(kvm, nr_mmu_pages); + } + + kvm_mmu_slot_remove_write_access(kvm, mem->slot); ++ spin_unlock(&kvm->mmu_lock); + kvm_flush_remote_tlbs(kvm); + + return 0; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.152815284@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:45 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" +Subject: [patch 33/48] appletalk: fix atalk_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=appletalk-fix-atalk_getname-leak.patch +Content-Length: 676 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream. + +atalk_getname() can leak 8 bytes of kernel memory to user + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1245,6 +1245,7 @@ static int atalk_getname(struct socket * + return -ENOBUFS; + + *uaddr_len = sizeof(struct sockaddr_at); ++ memset(&sat.sat_zero, 0, sizeof(sat.sat_zero)); + + if (peer) { + if (sk->sk_state != TCP_ESTABLISHED) + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.314980155@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Oliver Hartkopp , + "David S. Miller" +Subject: [patch 34/48] can: Fix raw_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=can-fix-raw_getname-leak.patch +Content-Length: 768 +Lines: 29 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream. + +raw_getname() can leak 10 bytes of kernel memory to user + +(two bytes hole between can_family and can_ifindex, +8 bytes at the end of sockaddr_can structure) + +Signed-off-by: Eric Dumazet +Acked-by: Oliver Hartkopp +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/raw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -396,6 +396,7 @@ static int raw_getname(struct socket *so + if (peer) + return -EOPNOTSUPP; + ++ memset(addr, 0, sizeof(*addr)); + addr->can_family = AF_CAN; + addr->can_ifindex = ro->ifindex; + + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.459975543@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 35/48] do_sigaltstack: avoid copying stack_t as a structure to user space +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch +Content-Length: 1855 +Lines: 62 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Linus Torvalds + +commit 0083fc2c50e6c5127c2802ad323adf8143ab7856 upstream. + +Ulrich Drepper correctly points out that there is generally padding in +the structure on 64-bit hosts, and that copying the structure from +kernel to user space can leak information from the kernel stack in those +padding bytes. + +Avoid the whole issue by just copying the three members one by one +instead, which also means that the function also can avoid the need for +a stack frame. This also happens to match how we copy the new structure +from user space, so it all even makes sense. + +[ The obvious solution of adding a memset() generates horrid code, gcc + does really stupid things. ] + +Reported-by: Ulrich Drepper +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2353,11 +2353,9 @@ do_sigaltstack (const stack_t __user *us + stack_t oss; + int error; + +- if (uoss) { +- oss.ss_sp = (void __user *) current->sas_ss_sp; +- oss.ss_size = current->sas_ss_size; +- oss.ss_flags = sas_ss_flags(sp); +- } ++ oss.ss_sp = (void __user *) current->sas_ss_sp; ++ oss.ss_size = current->sas_ss_size; ++ oss.ss_flags = sas_ss_flags(sp); + + if (uss) { + void __user *ss_sp; +@@ -2400,13 +2398,16 @@ do_sigaltstack (const stack_t __user *us + current->sas_ss_size = ss_size; + } + ++ error = 0; + if (uoss) { + error = -EFAULT; +- if (copy_to_user(uoss, &oss, sizeof(oss))) ++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss))) + goto out; ++ error = __put_user(oss.ss_sp, &uoss->ss_sp) | ++ __put_user(oss.ss_size, &uoss->ss_size) | ++ __put_user(oss.ss_flags, &uoss->ss_flags); + } + +- error = 0; + out: + return error; + } + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.571467442@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" +Subject: [patch 36/48] econet: Fix econet_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=econet-fix-econet_getname-leak.patch +Content-Length: 619 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream. + +econet_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/econet/af_econet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/econet/af_econet.c ++++ b/net/econet/af_econet.c +@@ -520,6 +520,7 @@ static int econet_getname(struct socket + if (peer) + return -EOPNOTSUPP; + ++ memset(sec, 0, sizeof(*sec)); + mutex_lock(&econet_mutex); + + sk = sock->sk; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009 +Message-Id: <20090904200855.729494368@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" +Subject: [patch 37/48] irda: Fix irda_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=irda-fix-irda_getname-leak.patch +Content-Length: 672 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream. + +irda_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/af_irda.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s + struct sock *sk = sock->sk; + struct irda_sock *self = irda_sk(sk); + ++ memset(&saddr, 0, sizeof(saddr)); + if (peer) { + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTCONN; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200855.890096059@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Robert Peterson , + Oleg Nesterov , + Rusty Russell +Subject: [patch 38/48] kthreads: fix kthread_create() vs kthread_stop() race +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=kthreads-fix-kthread_create-vs-kthread_stop-race.patch +Content-Length: 1556 +Lines: 43 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Oleg Nesterov + +The bug should be "accidently" fixed by recent changes in 2.6.31, +all kernels <= 2.6.30 need the fix. The problem was never noticed before, +it was found because it causes mysterious failures with GFS mount/umount. + +Credits to Robert Peterson. He blaimed kthread.c from the very beginning. +But, despite my promise, I forgot to inspect the old implementation until +he did a lot of testing and reminded me. This led to huge delay in fixing +this bug. + +kthread_stop() does put_task_struct(k) before it clears kthread_stop_info.k. +This means another kthread_create() can re-use this task_struct, but the +new kthread can still see kthread_should_stop() == T and exit even without +calling threadfn(). + +Reported-by: Robert Peterson +Tested-by: Robert Peterson +Signed-off-by: Oleg Nesterov +Acked-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kthread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -213,12 +213,12 @@ int kthread_stop(struct task_struct *k) + /* Now set kthread_should_stop() to true, and wake it up. */ + kthread_stop_info.k = k; + wake_up_process(k); +- put_task_struct(k); + + /* Once it dies, reset stop ptr, gather result and we're done. */ + wait_for_completion(&kthread_stop_info.done); + kthread_stop_info.k = NULL; + ret = kthread_stop_info.err; ++ put_task_struct(k); + mutex_unlock(&kthread_stop_lock); + + return ret; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.062588101@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jiri Slaby , + "David S. Miller" +Subject: [patch 39/48] NET: llc, zero sockaddr_llc struct +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=net-llc-zero-sockaddr_llc-struct.patch +Content-Length: 690 +Lines: 26 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Jiri Slaby + +commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream. + +sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc +before copying to the above layer's structure. + +Signed-off-by: Jiri Slaby +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -915,6 +915,7 @@ static int llc_ui_getname(struct socket + struct llc_sock *llc = llc_sk(sk); + int rc = 0; + ++ memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.202001072@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" +Subject: [patch 40/48] netrom: Fix nr_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=netrom-fix-nr_getname-leak.patch +Content-Length: 796 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream. + +nr_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netrom/af_netrom.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc + sax->fsa_ax25.sax25_family = AF_NETROM; + sax->fsa_ax25.sax25_ndigis = 1; + sax->fsa_ax25.sax25_call = nr->user_addr; ++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater)); + sax->fsa_digipeater[0] = nr->dest_addr; + *uaddr_len = sizeof(struct full_sockaddr_ax25); + } else { + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.335297402@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Sunil Mushran , + Joel Becker +Subject: [patch 41/48] ocfs2: Initialize the cluster were writing to in a non-sparse extend +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch +Content-Length: 5295 +Lines: 183 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Sunil Mushran + +commit e7432675f8ca868a4af365759a8d4c3779a3d922 upstream. + +In a non-sparse extend, we correctly allocate (and zero) the clusters between +the old_i_size and pos, but we don't zero the portions of the cluster we're +writing to outside of pos<->len. + +It handles clustersize > pagesize and blocksize < pagesize. + +[Cleaned up by Joel Becker.] + +Signed-off-by: Sunil Mushran +Signed-off-by: Joel Becker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/aops.c | 64 ++++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 46 insertions(+), 18 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -908,18 +908,17 @@ struct ocfs2_write_cluster_desc { + */ + unsigned c_new; + unsigned c_unwritten; ++ unsigned c_needs_zero; + }; + +-static inline int ocfs2_should_zero_cluster(struct ocfs2_write_cluster_desc *d) +-{ +- return d->c_new || d->c_unwritten; +-} +- + struct ocfs2_write_ctxt { + /* Logical cluster position / len of write */ + u32 w_cpos; + u32 w_clen; + ++ /* First cluster allocated in a nonsparse extend */ ++ u32 w_first_new_cpos; ++ + struct ocfs2_write_cluster_desc w_desc[OCFS2_MAX_CLUSTERS_PER_PAGE]; + + /* +@@ -997,6 +996,7 @@ static int ocfs2_alloc_write_ctxt(struct + return -ENOMEM; + + wc->w_cpos = pos >> osb->s_clustersize_bits; ++ wc->w_first_new_cpos = UINT_MAX; + cend = (pos + len - 1) >> osb->s_clustersize_bits; + wc->w_clen = cend - wc->w_cpos + 1; + get_bh(di_bh); +@@ -1239,13 +1239,11 @@ static int ocfs2_write_cluster(struct ad + struct ocfs2_write_ctxt *wc, u32 cpos, + loff_t user_pos, unsigned user_len) + { +- int ret, i, new, should_zero = 0; ++ int ret, i, new; + u64 v_blkno, p_blkno; + struct inode *inode = mapping->host; + + new = phys == 0 ? 1 : 0; +- if (new || unwritten) +- should_zero = 1; + + if (new) { + u32 tmp_pos; +@@ -1356,7 +1354,9 @@ static int ocfs2_write_cluster_by_desc(s + local_len = osb->s_clustersize - cluster_off; + + ret = ocfs2_write_cluster(mapping, desc->c_phys, +- desc->c_unwritten, data_ac, meta_ac, ++ desc->c_unwritten, ++ desc->c_needs_zero, ++ data_ac, meta_ac, + wc, desc->c_cpos, pos, local_len); + if (ret) { + mlog_errno(ret); +@@ -1406,14 +1406,14 @@ static void ocfs2_set_target_boundaries( + * newly allocated cluster. + */ + desc = &wc->w_desc[0]; +- if (ocfs2_should_zero_cluster(desc)) ++ if (desc->c_needs_zero) + ocfs2_figure_cluster_boundaries(osb, + desc->c_cpos, + &wc->w_target_from, + NULL); + + desc = &wc->w_desc[wc->w_clen - 1]; +- if (ocfs2_should_zero_cluster(desc)) ++ if (desc->c_needs_zero) + ocfs2_figure_cluster_boundaries(osb, + desc->c_cpos, + NULL, +@@ -1481,13 +1481,28 @@ static int ocfs2_populate_write_desc(str + phys++; + } + ++ /* ++ * If w_first_new_cpos is < UINT_MAX, we have a non-sparse ++ * file that got extended. w_first_new_cpos tells us ++ * where the newly allocated clusters are so we can ++ * zero them. ++ */ ++ if (desc->c_cpos >= wc->w_first_new_cpos) { ++ BUG_ON(phys == 0); ++ desc->c_needs_zero = 1; ++ } ++ + desc->c_phys = phys; + if (phys == 0) { + desc->c_new = 1; ++ desc->c_needs_zero = 1; + *clusters_to_alloc = *clusters_to_alloc + 1; + } +- if (ext_flags & OCFS2_EXT_UNWRITTEN) ++ ++ if (ext_flags & OCFS2_EXT_UNWRITTEN) { + desc->c_unwritten = 1; ++ desc->c_needs_zero = 1; ++ } + + num_clusters--; + } +@@ -1644,10 +1659,13 @@ static int ocfs2_expand_nonsparse_inode( + if (newsize <= i_size_read(inode)) + return 0; + +- ret = ocfs2_extend_no_holes(inode, newsize, newsize - len); ++ ret = ocfs2_extend_no_holes(inode, newsize, pos); + if (ret) + mlog_errno(ret); + ++ wc->w_first_new_cpos = ++ ocfs2_clusters_for_bytes(inode->i_sb, i_size_read(inode)); ++ + return ret; + } + +@@ -1656,7 +1674,7 @@ int ocfs2_write_begin_nolock(struct addr + struct page **pagep, void **fsdata, + struct buffer_head *di_bh, struct page *mmap_page) + { +- int ret, credits = OCFS2_INODE_UPDATE_CREDITS; ++ int ret, cluster_of_pages, credits = OCFS2_INODE_UPDATE_CREDITS; + unsigned int clusters_to_alloc, extents_to_split; + struct ocfs2_write_ctxt *wc; + struct inode *inode = mapping->host; +@@ -1724,8 +1742,19 @@ int ocfs2_write_begin_nolock(struct addr + + } + +- ocfs2_set_target_boundaries(osb, wc, pos, len, +- clusters_to_alloc + extents_to_split); ++ /* ++ * We have to zero sparse allocated clusters, unwritten extent clusters, ++ * and non-sparse clusters we just extended. For non-sparse writes, ++ * we know zeros will only be needed in the first and/or last cluster. ++ */ ++ if (clusters_to_alloc || extents_to_split || ++ wc->w_desc[0].c_needs_zero || ++ wc->w_desc[wc->w_clen - 1].c_needs_zero) ++ cluster_of_pages = 1; ++ else ++ cluster_of_pages = 0; ++ ++ ocfs2_set_target_boundaries(osb, wc, pos, len, cluster_of_pages); + + handle = ocfs2_start_trans(osb, credits); + if (IS_ERR(handle)) { +@@ -1753,8 +1782,7 @@ int ocfs2_write_begin_nolock(struct addr + * extent. + */ + ret = ocfs2_grab_pages_for_write(mapping, wc, wc->w_cpos, pos, +- clusters_to_alloc + extents_to_split, +- mmap_page); ++ cluster_of_pages, mmap_page); + if (ret) { + mlog_errno(ret); + goto out_commit; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.494481884@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "David S. Miller" +Subject: [patch 42/48] rose: Fix rose_getname() leak +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=rose-fix-rose_getname-leak.patch +Content-Length: 656 +Lines: 25 + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream. + +rose_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rose/af_rose.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s + struct rose_sock *rose = rose_sk(sk); + int n; + ++ memset(srose, 0, sizeof(*srose)); + if (peer != 0) { + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTCONN; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.656372719@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Takashi Iwai +Subject: [patch 43/48] ALSA: hda - Add missing vmaster initialization for ALC269 +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=alsa-hda-add-missing-vmaster-initialization-for-alc269.patch +Content-Length: 821 +Lines: 30 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Takashi Iwai + +commit 100d5eb36ba20dc0b99a17ea2b9800c567bfc3d1 upstream. + +Without the initialization of vmaster NID, the dB information got +confused for ALC269 codec. + +Reference: Novell bnc#527361 + https://bugzilla.novell.com/show_bug.cgi?id=527361 + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11640,6 +11640,8 @@ static int patch_alc269(struct hda_codec + spec->num_adc_nids = ARRAY_SIZE(alc269_adc_nids); + spec->capsrc_nids = alc269_capsrc_nids; + ++ spec->vmaster_nid = 0x02; ++ + codec->patch_ops = alc_patch_ops; + if (board_config == ALC269_AUTO) + spec->init_hook = alc269_auto_init; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009 +Message-Id: <20090904200856.789824376@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox , + Chuck Ebbert +Subject: [patch 44/48] parport: quickfix the proc registration bug +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=parport-quickfix-the-proc-registration-bug.patch +Content-Length: 2089 +Lines: 72 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Alan Cox + +commit 05ad709d04799125ed85dd816fdb558258102172 upstream + +parport: quickfix the proc registration bug + +Ideally we should have a directory of drivers and a link to the 'active' +driver. For now just show the first device which is effectively the existing +semantics without a warning. + +This is an update on the original buggy patch that I then forgot to +resubmit. Confusingly it was proposed by Red Hat, written by Etched Pixels +fixed and submitted by Intel ... + +Resolves-Bug: http://bugzilla.kernel.org/show_bug.cgi?id=9749 +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman +--- + +--- + drivers/parport/share.c | 13 ++++++++++--- + include/linux/parport.h | 4 ++++ + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/parport/share.c ++++ b/drivers/parport/share.c +@@ -614,7 +614,10 @@ parport_register_device(struct parport * + * pardevice fields. -arca + */ + port->ops->init_state(tmp, tmp->state); +- parport_device_proc_register(tmp); ++ if (!test_and_set_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags)) { ++ port->proc_device = tmp; ++ parport_device_proc_register(tmp); ++ } + return tmp; + + out_free_all: +@@ -646,10 +649,14 @@ void parport_unregister_device(struct pa + } + #endif + +- parport_device_proc_unregister(dev); +- + port = dev->port->physport; + ++ if (port->proc_device == dev) { ++ port->proc_device = NULL; ++ clear_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags); ++ parport_device_proc_unregister(dev); ++ } ++ + if (port->cad == dev) { + printk(KERN_DEBUG "%s: %s forgot to release port\n", + port->name, dev->name); +--- a/include/linux/parport.h ++++ b/include/linux/parport.h +@@ -326,6 +326,10 @@ struct parport { + int spintime; + atomic_t ref_count; + ++ unsigned long devflags; ++#define PARPORT_DEVPROC_REGISTERED 0 ++ struct pardevice *proc_device; /* Currently register proc device */ ++ + struct list_head full_list; + struct parport *slaves[3]; + }; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009 +Message-Id: <20090904200856.961519803@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Oliver Neukum , + Chuck Ebbert +Subject: [patch 45/48] USB: removal of tty->low_latency hack dating back to the old serial code +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch +Content-Length: 12356 +Lines: 372 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Oliver Neukum + +commit 2400a2bfbd0e912193fe3b077f492d4980141813 upstream + + +[ cebbert@redhat.com: backport to 2.6.27 ] + +USB: removal of tty->low_latency hack dating back to the old serial code + +This removes tty->low_latency from all USB serial drivers that push +data into the tty layer at hard interrupt context. It's no longer needed +and actually harmful. + +Signed-off-by: Oliver Neukum +Cc: Alan Cox +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cyberjack.c | 7 ------- + drivers/usb/serial/cypress_m8.c | 4 ---- + drivers/usb/serial/empeg.c | 6 ------ + drivers/usb/serial/garmin_gps.c | 8 -------- + drivers/usb/serial/generic.c | 6 ------ + drivers/usb/serial/io_edgeport.c | 8 -------- + drivers/usb/serial/io_ti.c | 8 -------- + drivers/usb/serial/ipaq.c | 6 ------ + drivers/usb/serial/ipw.c | 3 --- + drivers/usb/serial/iuu_phoenix.c | 1 - + drivers/usb/serial/kobil_sct.c | 6 ------ + drivers/usb/serial/mos7720.c | 7 ------- + drivers/usb/serial/mos7840.c | 6 ------ + drivers/usb/serial/option.c | 3 --- + drivers/usb/serial/sierra.c | 3 --- + drivers/usb/serial/ti_usb_3410_5052.c | 17 +---------------- + drivers/usb/serial/visor.c | 8 -------- + 17 files changed, 1 insertion(+), 106 deletions(-) + +--- a/drivers/usb/serial/cyberjack.c ++++ b/drivers/usb/serial/cyberjack.c +@@ -174,13 +174,6 @@ static int cyberjack_open(struct tty_st + dbg("%s - usb_clear_halt", __func__); + usb_clear_halt(port->serial->dev, port->write_urb->pipe); + +- /* force low_latency on so that our tty_push actually forces +- * the data through, otherwise it is scheduled, and with high +- * data rates (like with OHCI) data can get lost. +- */ +- if (tty) +- tty->low_latency = 1; +- + priv = usb_get_serial_port_data(port); + spin_lock_irqsave(&priv->lock, flags); + priv->rdtodo = 0; +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -655,10 +655,6 @@ static int cypress_open(struct tty_struc + priv->rx_flags = 0; + spin_unlock_irqrestore(&priv->lock, flags); + +- /* setting to zero could cause data loss */ +- if (tty) +- tty->low_latency = 1; +- + /* raise both lines and set termios */ + spin_lock_irqsave(&priv->lock, flags); + priv->line_control = CONTROL_DTR | CONTROL_RTS; +--- a/drivers/usb/serial/empeg.c ++++ b/drivers/usb/serial/empeg.c +@@ -478,12 +478,6 @@ static void empeg_set_termios(struct tty + termios->c_cflag + |= CS8; /* character size 8 bits */ + +- /* +- * Force low_latency on; otherwise the pushes are scheduled; +- * this is bad as it opens up the possibility of dropping bytes +- * on the floor. We don't want to drop bytes on the floor. :) +- */ +- tty->low_latency = 1; + tty_encode_baud_rate(tty, 115200, 115200); + } + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -972,14 +972,6 @@ static int garmin_open(struct tty_struct + + dbg("%s - port %d", __func__, port->number); + +- /* +- * Force low_latency on so that our tty_push actually forces the data +- * through, otherwise it is scheduled, and with high data rates (like +- * with OHCI) data can get lost. +- */ +- if (tty) +- tty->low_latency = 1; +- + spin_lock_irqsave(&garmin_data_p->lock, flags); + garmin_data_p->mode = initial_mode; + garmin_data_p->count = 0; +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -122,12 +122,6 @@ int usb_serial_generic_open(struct tty_s + + dbg("%s - port %d", __func__, port->number); + +- /* force low_latency on so that our tty_push actually forces the data +- through, otherwise it is scheduled, and with high data rates (like +- with OHCI) data can get lost. */ +- if (tty) +- tty->low_latency = 1; +- + /* clear the throttle flags */ + spin_lock_irqsave(&port->lock, flags); + port->throttled = 0; +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -193,8 +193,6 @@ static const struct divisor_table_entry + /* local variables */ + static int debug; + +-static int low_latency = 1; /* tty low latency flag, on by default */ +- + static atomic_t CmdUrbs; /* Number of outstanding Command Write Urbs */ + + +@@ -861,9 +859,6 @@ static int edge_open(struct tty_struct * + if (edge_port == NULL) + return -ENODEV; + +- if (tty) +- tty->low_latency = low_latency; +- + /* see if we've set up our endpoint info yet (can't set it up + in edge_startup as the structures were not set up at that time.) */ + serial = port->serial; +@@ -3281,6 +3276,3 @@ MODULE_FIRMWARE("edgeport/down2.fw"); + + module_param(debug, bool, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(debug, "Debug enabled or not"); +- +-module_param(low_latency, bool, S_IRUGO | S_IWUSR); +-MODULE_PARM_DESC(low_latency, "Low latency enabled or not"); +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -76,7 +76,6 @@ struct edgeport_uart_buf_desc { + #define EDGE_READ_URB_STOPPING 1 + #define EDGE_READ_URB_STOPPED 2 + +-#define EDGE_LOW_LATENCY 1 + #define EDGE_CLOSING_WAIT 4000 /* in .01 sec */ + + #define EDGE_OUT_BUF_SIZE 1024 +@@ -232,7 +231,6 @@ static unsigned short OperationalBuildNu + + static int debug; + +-static int low_latency = EDGE_LOW_LATENCY; + static int closing_wait = EDGE_CLOSING_WAIT; + static int ignore_cpu_rev; + static int default_uart_mode; /* RS232 */ +@@ -1838,9 +1836,6 @@ static int edge_open(struct tty_struct * + if (edge_port == NULL) + return -ENODEV; + +- if (tty) +- tty->low_latency = low_latency; +- + port_number = port->number - port->serial->minor; + switch (port_number) { + case 0: +@@ -2995,9 +2990,6 @@ MODULE_FIRMWARE("edgeport/down3.bin"); + module_param(debug, bool, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(debug, "Debug enabled or not"); + +-module_param(low_latency, bool, S_IRUGO | S_IWUSR); +-MODULE_PARM_DESC(low_latency, "Low latency enabled or not"); +- + module_param(closing_wait, int, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(closing_wait, "Maximum wait for data to drain, in .01 secs"); + +--- a/drivers/usb/serial/ipaq.c ++++ b/drivers/usb/serial/ipaq.c +@@ -635,13 +635,7 @@ static int ipaq_open(struct tty_struct * + priv->free_len += PACKET_SIZE; + } + +- /* +- * Force low latency on. This will immediately push data to the line +- * discipline instead of queueing. +- */ +- + if (tty) { +- tty->low_latency = 1; + /* FIXME: These two are bogus */ + tty->raw = 1; + tty->real_raw = 1; +--- a/drivers/usb/serial/ipw.c ++++ b/drivers/usb/serial/ipw.c +@@ -206,9 +206,6 @@ static int ipw_open(struct tty_struct *t + if (!buf_flow_init) + return -ENOMEM; + +- if (tty) +- tty->low_latency = 1; +- + /* --1: Tell the modem to initialize (we think) From sniffs this is + * always the first thing that gets sent to the modem during + * opening of the device */ +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -1046,7 +1046,6 @@ static int iuu_open(struct tty_struct *t + tty->termios->c_oflag = 0; + tty->termios->c_iflag = 0; + priv->termios_initialized = 1; +- tty->low_latency = 1; + priv->poll = 0; + } + spin_unlock_irqrestore(&priv->lock, flags); +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -231,13 +231,7 @@ static int kobil_open(struct tty_struct + /* someone sets the dev to 0 if the close method has been called */ + port->interrupt_in_urb->dev = port->serial->dev; + +- +- /* force low_latency on so that our tty_push actually forces +- * the data through, otherwise it is scheduled, and with high +- * data rates (like with OHCI) data can get lost. +- */ + if (tty) { +- tty->low_latency = 1; + + /* Default to echo off and other sane device settings */ + tty->termios->c_lflag = 0; +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -442,13 +442,6 @@ static int mos7720_open(struct tty_struc + data = 0x0c; + send_mos_cmd(serial, MOS_WRITE, port_number, 0x01, &data); + +- /* force low_latency on so that our tty_push actually forces * +- * the data through,otherwise it is scheduled, and with * +- * high data rates (like with OHCI) data can get lost. */ +- +- if (tty) +- tty->low_latency = 1; +- + /* see if we've set up our endpoint info yet * + * (can't set it up in mos7720_startup as the * + * structures were not set up at that time.) */ +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -990,12 +990,6 @@ static int mos7840_open(struct tty_struc + status = mos7840_set_reg_sync(port, mos7840_port->ControlRegOffset, + Data); + +- /* force low_latency on so that our tty_push actually forces * +- * the data through,otherwise it is scheduled, and with * +- * high data rates (like with OHCI) data can get lost. */ +- if (tty) +- tty->low_latency = 1; +- + /* Check to see if we've set up our endpoint info yet * + * (can't set it up in mos7840_startup as the structures * + * were not set up at that time.) */ +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -914,9 +914,6 @@ static int option_open(struct tty_struct + usb_pipeout(urb->pipe), 0); */ + } + +- if (tty) +- tty->low_latency = 1; +- + option_send_setup(tty, port); + + return 0; +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -576,9 +576,6 @@ static int sierra_open(struct tty_struct + } + } + +- if (tty) +- tty->low_latency = 1; +- + sierra_send_setup(tty, port); + + /* start up the interrupt endpoint if we have one */ +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -101,11 +101,10 @@ + + #define TI_TRANSFER_TIMEOUT 2 + +-#define TI_DEFAULT_LOW_LATENCY 0 + #define TI_DEFAULT_CLOSING_WAIT 4000 /* in .01 secs */ + + /* supported setserial flags */ +-#define TI_SET_SERIAL_FLAGS (ASYNC_LOW_LATENCY) ++#define TI_SET_SERIAL_FLAGS 0 + + /* read urb states */ + #define TI_READ_URB_RUNNING 0 +@@ -212,7 +211,6 @@ static int ti_buf_get(struct circ_buf *c + + /* module parameters */ + static int debug; +-static int low_latency = TI_DEFAULT_LOW_LATENCY; + static int closing_wait = TI_DEFAULT_CLOSING_WAIT; + static ushort vendor_3410[TI_EXTRA_VID_PID_COUNT]; + static unsigned int vendor_3410_count; +@@ -333,10 +331,6 @@ MODULE_FIRMWARE("ti_5052.fw"); + module_param(debug, bool, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(debug, "Enable debugging, 0=no, 1=yes"); + +-module_param(low_latency, bool, S_IRUGO | S_IWUSR); +-MODULE_PARM_DESC(low_latency, +- "TTY low_latency flag, 0=off, 1=on, default is off"); +- + module_param(closing_wait, int, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(closing_wait, + "Maximum wait for data to drain in close, in .01 secs, default is 4000"); +@@ -480,7 +474,6 @@ static int ti_startup(struct usb_serial + spin_lock_init(&tport->tp_lock); + tport->tp_uart_base_addr = (i == 0 ? + TI_UART1_BASE_ADDR : TI_UART2_BASE_ADDR); +- tport->tp_flags = low_latency ? ASYNC_LOW_LATENCY : 0; + tport->tp_closing_wait = closing_wait; + init_waitqueue_head(&tport->tp_msr_wait); + init_waitqueue_head(&tport->tp_write_wait); +@@ -560,10 +553,6 @@ static int ti_open(struct tty_struct *tt + if (mutex_lock_interruptible(&tdev->td_open_close_lock)) + return -ERESTARTSYS; + +- if (tty) +- tty->low_latency = +- (tport->tp_flags & ASYNC_LOW_LATENCY) ? 1 : 0; +- + port_number = port->number - port->serial->minor; + + memset(&(tport->tp_icount), 0x00, sizeof(tport->tp_icount)); +@@ -1480,10 +1469,6 @@ static int ti_set_serial_info(struct ti_ + return -EFAULT; + + tport->tp_flags = new_serial.flags & TI_SET_SERIAL_FLAGS; +- /* FIXME */ +- if (port->port.tty) +- port->port.tty->low_latency = +- (tport->tp_flags & ASYNC_LOW_LATENCY) ? 1 : 0; + tport->tp_closing_wait = new_serial.closing_wait; + + return 0; +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -296,14 +296,6 @@ static int visor_open(struct tty_struct + priv->throttled = 0; + spin_unlock_irqrestore(&priv->lock, flags); + +- /* +- * Force low_latency on so that our tty_push actually forces the data +- * through, otherwise it is scheduled, and with high data rates (like +- * with OHCI) data can get lost. +- */ +- if (tty) +- tty->low_latency = 1; +- + /* Start reading from the device */ + usb_fill_bulk_urb(port->read_urb, serial->dev, + usb_rcvbulkpipe(serial->dev, + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009 +Message-Id: <20090904200857.121342149@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Chuck Ebbert , + Alan Cox +Subject: [patch 46/48] Remove low_latency flag setting from nozomi and mxser drivers +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch +Content-Length: 1247 +Lines: 47 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Chuck Ebbert + +commit 4d8d4d251df8eaaa3dae71c8cfa7fbf4510d967d upstream + +[ cebbert@redhat.com: backport to 2.6.27 ] + +Remove low_latency flag setting from nozomi and mxser drivers + +The kernel oopses if this flag is set. + +[and neither driver should set it as they call tty_flip_buffer_push from IRQ + paths so have always been buggy] + +Signed-off-by: Chuck Ebbert +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + +--- + drivers/char/mxser.c | 2 -- + drivers/char/nozomi.c | 1 - + 2 files changed, 3 deletions(-) + +--- a/drivers/char/mxser.c ++++ b/drivers/char/mxser.c +@@ -1099,8 +1099,6 @@ static int mxser_open(struct tty_struct + if (retval) + return retval; + +- /* unmark here for very high baud rate (ex. 921600 bps) used */ +- tty->low_latency = 1; + return 0; + } + +--- a/drivers/char/nozomi.c ++++ b/drivers/char/nozomi.c +@@ -1584,7 +1584,6 @@ static int ntty_open(struct tty_struct * + + /* Enable interrupt downlink for channel */ + if (port->tty_open_count == 1) { +- tty->low_latency = 1; + tty->driver_data = port; + port->tty = tty; + DBG1("open: %d", port->token_dl); + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009 +Message-Id: <20090904200857.279447289@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:07:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + James Bottomley , + Chuck Ebbert +Subject: [patch 47/48] SCSI: sr: report more accurate drive status after closing the tray. +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch +Content-Length: 1580 +Lines: 43 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Peter Jones + +commit 96bcc722c47d07b6fd05c9d0cb3ab8ea5574c5b1 upstream + +[SCSI] sr: report more accurate drive status after closing the tray. + +So, what's happening here is that the drive is reporting a sense of +2/4/1 ("logical unit is becoming ready") from sr_test_unit_ready(), and +then we ask for the media event notification before checking that result +at all. The check_media_event_descriptor() call isn't getting a check +condition, but it's also reporting that the tray is closed and that +there's no media. In actuality it doesn't yet know if there's media or +not, but there's no way to express that in the media event status field. + +My current thought is that if it told us the device isn't yet ready, we +should return that immediately, since there's nothing that'll tell us +any more data than that reliably: + +Signed-off-by: James Bottomley +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman +--- + +--- + drivers/scsi/sr_ioctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/sr_ioctl.c ++++ b/drivers/scsi/sr_ioctl.c +@@ -309,6 +309,11 @@ int sr_drive_status(struct cdrom_device_ + if (0 == sr_test_unit_ready(cd->device, &sshdr)) + return CDS_DISC_OK; + ++ /* SK/ASC/ASCQ of 2/4/1 means "unit is becoming ready" */ ++ if (scsi_sense_valid(&sshdr) && sshdr.sense_key == NOT_READY ++ && sshdr.asc == 0x04 && sshdr.ascq == 0x01) ++ return CDS_DRIVE_NOT_READY; ++ + if (!cdrom_get_media_event(cdi, &med)) { + if (med.media_present) + return CDS_DISC_OK; + + +From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009 +Message-Id: <20090904200857.466721861@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 04 Sep 2009 13:08:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Steve Dickson , + Trond Myklebust +Subject: [patch 48/48] SUNRPC: Fix tcp reconnection +References: <20090904200712.724048145@mini.kroah.org> +Content-Disposition: inline; filename=sunrpc-fix-tcp-reconnection.patch +Content-Length: 3885 +Lines: 129 + + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +This fixes a problem that was reported as Red Hat Bugzilla entry number +485339, in which rpciod starts looping on the TCP connection code, +rendering the NFS client unusable for 1/2 minute or so. + +It is basically a backport of commit +f75e6745aa3084124ae1434fd7629853bdaf6798 (SUNRPC: Fix the problem of +EADDRNOTAVAIL syslog floods on reconnect) + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + + +--- + include/linux/sunrpc/xprt.h | 1 + + net/sunrpc/xprt.c | 6 ++---- + net/sunrpc/xprtsock.c | 37 ++++++++++++++++++++++++++++++++++--- + 3 files changed, 37 insertions(+), 7 deletions(-) + +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -260,6 +260,7 @@ void xprt_conditional_disconnect(struc + #define XPRT_BOUND (4) + #define XPRT_BINDING (5) + #define XPRT_CLOSING (6) ++#define XPRT_CONNECTION_CLOSE (8) + + static inline void xprt_set_connected(struct rpc_xprt *xprt) + { +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -645,10 +645,8 @@ xprt_init_autodisconnect(unsigned long d + if (test_and_set_bit(XPRT_LOCKED, &xprt->state)) + goto out_abort; + spin_unlock(&xprt->transport_lock); +- if (xprt_connecting(xprt)) +- xprt_release_write(xprt, NULL); +- else +- queue_work(rpciod_workqueue, &xprt->task_cleanup); ++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state); ++ queue_work(rpciod_workqueue, &xprt->task_cleanup); + return; + out_abort: + spin_unlock(&xprt->transport_lock); +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -748,6 +748,9 @@ out_release: + * + * This is used when all requests are complete; ie, no DRC state remains + * on the server we want to save. ++ * ++ * The caller _must_ be holding XPRT_LOCKED in order to avoid issues with ++ * xs_reset_transport() zeroing the socket from underneath a writer. + */ + static void xs_close(struct rpc_xprt *xprt) + { +@@ -781,6 +784,14 @@ clear_close_wait: + xprt_disconnect_done(xprt); + } + ++static void xs_tcp_close(struct rpc_xprt *xprt) ++{ ++ if (test_and_clear_bit(XPRT_CONNECTION_CLOSE, &xprt->state)) ++ xs_close(xprt); ++ else ++ xs_tcp_shutdown(xprt); ++} ++ + /** + * xs_destroy - prepare to shutdown a transport + * @xprt: doomed transport +@@ -1676,11 +1687,21 @@ static void xs_tcp_connect_worker4(struc + goto out_clear; + case -ECONNREFUSED: + case -ECONNRESET: ++ case -ENETUNREACH: + /* retry with existing socket, after a delay */ +- break; ++ goto out_clear; + default: + /* get rid of existing socket, and retry */ + xs_tcp_shutdown(xprt); ++ printk("%s: connect returned unhandled error %d\n", ++ __func__, status); ++ case -EADDRNOTAVAIL: ++ /* We're probably in TIME_WAIT. Get rid of existing socket, ++ * and retry ++ */ ++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state); ++ xprt_force_disconnect(xprt); ++ status = -EAGAIN; + } + } + out: +@@ -1735,11 +1756,21 @@ static void xs_tcp_connect_worker6(struc + goto out_clear; + case -ECONNREFUSED: + case -ECONNRESET: ++ case -ENETUNREACH: + /* retry with existing socket, after a delay */ +- break; ++ goto out_clear; + default: + /* get rid of existing socket, and retry */ + xs_tcp_shutdown(xprt); ++ printk("%s: connect returned unhandled error %d\n", ++ __func__, status); ++ case -EADDRNOTAVAIL: ++ /* We're probably in TIME_WAIT. Get rid of existing socket, ++ * and retry ++ */ ++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state); ++ xprt_force_disconnect(xprt); ++ status = -EAGAIN; + } + } + out: +@@ -1871,7 +1902,7 @@ static struct rpc_xprt_ops xs_tcp_ops = + .buf_free = rpc_free, + .send_request = xs_tcp_send_request, + .set_retrans_timeout = xprt_set_retrans_timeout_def, +- .close = xs_tcp_shutdown, ++ .close = xs_tcp_close, + .destroy = xs_destroy, + .print_stats = xs_tcp_print_stats, + }; + + diff --git a/queue-2.6.27/net-llc-zero-sockaddr_llc-struct.patch b/review-2.6.27/net-llc-zero-sockaddr_llc-struct.patch similarity index 100% rename from queue-2.6.27/net-llc-zero-sockaddr_llc-struct.patch rename to review-2.6.27/net-llc-zero-sockaddr_llc-struct.patch diff --git a/queue-2.6.27/netrom-fix-nr_getname-leak.patch b/review-2.6.27/netrom-fix-nr_getname-leak.patch similarity index 100% rename from queue-2.6.27/netrom-fix-nr_getname-leak.patch rename to review-2.6.27/netrom-fix-nr_getname-leak.patch diff --git a/queue-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch b/review-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch similarity index 100% rename from queue-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch rename to review-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch diff --git a/queue-2.6.27/parport-quickfix-the-proc-registration-bug.patch b/review-2.6.27/parport-quickfix-the-proc-registration-bug.patch similarity index 100% rename from queue-2.6.27/parport-quickfix-the-proc-registration-bug.patch rename to review-2.6.27/parport-quickfix-the-proc-registration-bug.patch diff --git a/queue-2.6.27/remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch b/review-2.6.27/remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch similarity index 100% rename from queue-2.6.27/remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch rename to review-2.6.27/remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch diff --git a/queue-2.6.27/rose-fix-rose_getname-leak.patch b/review-2.6.27/rose-fix-rose_getname-leak.patch similarity index 100% rename from queue-2.6.27/rose-fix-rose_getname-leak.patch rename to review-2.6.27/rose-fix-rose_getname-leak.patch diff --git a/queue-2.6.27/scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch b/review-2.6.27/scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch similarity index 100% rename from queue-2.6.27/scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch rename to review-2.6.27/scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch diff --git a/queue-2.6.27/series b/review-2.6.27/series similarity index 100% rename from queue-2.6.27/series rename to review-2.6.27/series diff --git a/queue-2.6.27/sound-pcm_lib-fix-unsorted-list-constraint-handling.patch b/review-2.6.27/sound-pcm_lib-fix-unsorted-list-constraint-handling.patch similarity index 100% rename from queue-2.6.27/sound-pcm_lib-fix-unsorted-list-constraint-handling.patch rename to review-2.6.27/sound-pcm_lib-fix-unsorted-list-constraint-handling.patch diff --git a/queue-2.6.27/sunrpc-fix-rpc_task_force_reencode.patch b/review-2.6.27/sunrpc-fix-rpc_task_force_reencode.patch similarity index 100% rename from queue-2.6.27/sunrpc-fix-rpc_task_force_reencode.patch rename to review-2.6.27/sunrpc-fix-rpc_task_force_reencode.patch diff --git a/queue-2.6.27/sunrpc-fix-tcp-reconnection.patch b/review-2.6.27/sunrpc-fix-tcp-reconnection.patch similarity index 100% rename from queue-2.6.27/sunrpc-fix-tcp-reconnection.patch rename to review-2.6.27/sunrpc-fix-tcp-reconnection.patch diff --git a/queue-2.6.27/usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch b/review-2.6.27/usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch similarity index 100% rename from queue-2.6.27/usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch rename to review-2.6.27/usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch