From: Greg Kroah-Hartman Date: Fri, 9 Oct 2009 23:24:04 +0000 (-0700) Subject: start 2.6.27.37 review cycle X-Git-Tag: v2.6.27.37~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba6caed2774b316ff71d63b4a956ba9a57d3ed8b;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.27.37 review cycle --- diff --git a/queue-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch b/review-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch similarity index 100% rename from queue-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch rename to review-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch diff --git a/queue-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch b/review-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch similarity index 100% rename from queue-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch rename to review-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch diff --git a/queue-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch b/review-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch similarity index 100% rename from queue-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch rename to review-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch diff --git a/review-2.6.27/mbox b/review-2.6.27/mbox new file mode 100644 index 00000000000..da0c0b534b5 --- /dev/null +++ b/review-2.6.27/mbox @@ -0,0 +1,847 @@ +From gregkh@mini.kroah.org Fri Oct 9 16:22:33 2009 +Message-Id: <20091009232233.573039908@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:24 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jean Delvare , + Randy Dunlap , + "David S. Miller" +Subject: [1/8] net: Fix wrong sizeof +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=net-fix-wrong-sizeof.patch +Content-Length: 820 +Lines: 28 + +From: Jean Delvare + +commit b607bd900051efc3308c4edc65dd98b34b230021 upstream. + +Which is why I have always preferred sizeof(struct foo) over +sizeof(var). + +Signed-off-by: Jean Delvare +Acked-by: Randy Dunlap +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/iseries_veth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/iseries_veth.c ++++ b/drivers/net/iseries_veth.c +@@ -495,7 +495,7 @@ static void veth_take_cap_ack(struct vet + cnx->remote_lp); + } else { + memcpy(&cnx->cap_ack_event, event, +- sizeof(&cnx->cap_ack_event)); ++ sizeof(cnx->cap_ack_event)); + cnx->state |= VETH_STATE_GOTCAPACK; + veth_kick_statemachine(cnx); + } + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:33 2009 +Message-Id: <20091009232233.689031894@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:25 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jan Beulich , + Ingo Molnar , + Chuck Ebbert +Subject: [2/8] x86-64: slightly stream-line 32-bit syscall entry code +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch +Content-Length: 3411 +Lines: 120 + +From: Jan Beulich + +commit 295286a89107c353b9677bc604361c537fd6a1c0 upstream + +x86-64: slightly stream-line 32-bit syscall entry code + +[ required for following patch to apply properly ] + +Avoid updating registers or memory twice as well as needlessly loading +or copying registers. + +Signed-off-by: Jan Beulich +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -39,11 +39,11 @@ + .endm + + /* clobbers %eax */ +- .macro CLEAR_RREGS ++ .macro CLEAR_RREGS _r9=rax + xorl %eax,%eax + movq %rax,R11(%rsp) + movq %rax,R10(%rsp) +- movq %rax,R9(%rsp) ++ movq %\_r9,R9(%rsp) + movq %rax,R8(%rsp) + .endm + +@@ -52,11 +52,10 @@ + * We don't reload %eax because syscall_trace_enter() returned + * the value it wants us to use in the table lookup. + */ +- .macro LOAD_ARGS32 offset +- movl \offset(%rsp),%r11d +- movl \offset+8(%rsp),%r10d ++ .macro LOAD_ARGS32 offset, _r9=0 ++ .if \_r9 + movl \offset+16(%rsp),%r9d +- movl \offset+24(%rsp),%r8d ++ .endif + movl \offset+40(%rsp),%ecx + movl \offset+48(%rsp),%edx + movl \offset+56(%rsp),%esi +@@ -145,7 +144,7 @@ ENTRY(ia32_sysenter_target) + SAVE_ARGS 0,0,1 + /* no need to do an access_ok check here because rbp has been + 32bit zero extended */ +-1: movl (%rbp),%r9d ++1: movl (%rbp),%ebp + .section __ex_table,"a" + .quad 1b,ia32_badarg + .previous +@@ -157,7 +156,7 @@ ENTRY(ia32_sysenter_target) + cmpl $(IA32_NR_syscalls-1),%eax + ja ia32_badsys + sysenter_do_call: +- IA32_ARG_FIXUP 1 ++ IA32_ARG_FIXUP + sysenter_dispatch: + call *ia32_sys_call_table(,%rax,8) + movq %rax,RAX-ARGOFFSET(%rsp) +@@ -234,20 +233,17 @@ sysexit_audit: + #endif + + sysenter_tracesys: +- xchgl %r9d,%ebp + #ifdef CONFIG_AUDITSYSCALL + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) + jz sysenter_auditsys + #endif + SAVE_REST + CLEAR_RREGS +- movq %r9,R9(%rsp) + movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST +- xchgl %ebp,%r9d + cmpl $(IA32_NR_syscalls-1),%eax + ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ + jmp sysenter_do_call +@@ -314,9 +310,9 @@ ENTRY(ia32_cstar_target) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) + CFI_REMEMBER_STATE + jnz cstar_tracesys +-cstar_do_call: + cmpl $IA32_NR_syscalls-1,%eax + ja ia32_badsys ++cstar_do_call: + IA32_ARG_FIXUP 1 + cstar_dispatch: + call *ia32_sys_call_table(,%rax,8) +@@ -357,15 +353,13 @@ cstar_tracesys: + #endif + xchgl %r9d,%ebp + SAVE_REST +- CLEAR_RREGS +- movq %r9,R9(%rsp) ++ CLEAR_RREGS r9 + movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ + RESTORE_REST + xchgl %ebp,%r9d +- movl RSP-ARGOFFSET(%rsp), %r8d + cmpl $(IA32_NR_syscalls-1),%eax + ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ + jmp cstar_do_call + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:33 2009 +Message-Id: <20091009232233.829025942@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:26 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jan Beulich , + Ingo Molnar , + Chuck Ebbert +Subject: [3/8] x86: Dont leak 64-bit kernel register values to 32-bit processes +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch +Content-Length: 3335 +Lines: 126 + +From: Jan Beulich + +commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream + +x86: Don't leak 64-bit kernel register values to 32-bit processes + +While 32-bit processes can't directly access R8...R15, they can +gain access to these registers by temporarily switching themselves +into 64-bit mode. + +Therefore, registers not preserved anyway by called C functions +(i.e. R8...R11) must be cleared prior to returning to user mode. + +Signed-off-by: Jan Beulich +LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com> +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -21,8 +21,8 @@ + #define __AUDIT_ARCH_LE 0x40000000 + + #ifndef CONFIG_AUDITSYSCALL +-#define sysexit_audit int_ret_from_sys_call +-#define sysretl_audit int_ret_from_sys_call ++#define sysexit_audit ia32_ret_from_sys_call ++#define sysretl_audit ia32_ret_from_sys_call + #endif + + #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8) +@@ -39,12 +39,12 @@ + .endm + + /* clobbers %eax */ +- .macro CLEAR_RREGS _r9=rax ++ .macro CLEAR_RREGS offset=0, _r9=rax + xorl %eax,%eax +- movq %rax,R11(%rsp) +- movq %rax,R10(%rsp) +- movq %\_r9,R9(%rsp) +- movq %rax,R8(%rsp) ++ movq %rax,\offset+R11(%rsp) ++ movq %rax,\offset+R10(%rsp) ++ movq %\_r9,\offset+R9(%rsp) ++ movq %rax,\offset+R8(%rsp) + .endm + + /* +@@ -172,6 +172,10 @@ sysexit_from_sys_call: + movl RIP-R11(%rsp),%edx /* User %eip */ + CFI_REGISTER rip,rdx + RESTORE_ARGS 1,24,1,1,1,1 ++ xorq %r8,%r8 ++ xorq %r9,%r9 ++ xorq %r10,%r10 ++ xorq %r11,%r11 + popfq + CFI_ADJUST_CFA_OFFSET -8 + /*CFI_RESTORE rflags*/ +@@ -202,7 +206,7 @@ sysexit_from_sys_call: + + .macro auditsys_exit exit,ebpsave=RBP + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) +- jnz int_ret_from_sys_call ++ jnz ia32_ret_from_sys_call + TRACE_IRQS_ON + sti + movl %eax,%esi /* second arg, syscall return value */ +@@ -218,8 +222,9 @@ sysexit_from_sys_call: + cli + TRACE_IRQS_OFF + testl %edi,TI_flags(%r10) +- jnz int_with_check +- jmp \exit ++ jz \exit ++ CLEAR_RREGS -ARGOFFSET ++ jmp int_with_check + .endm + + sysenter_auditsys: +@@ -329,6 +334,9 @@ sysretl_from_sys_call: + CFI_REGISTER rip,rcx + movl EFLAGS-ARGOFFSET(%rsp),%r11d + /*CFI_REGISTER rflags,r11*/ ++ xorq %r10,%r10 ++ xorq %r9,%r9 ++ xorq %r8,%r8 + TRACE_IRQS_ON + movl RSP-ARGOFFSET(%rsp),%esp + CFI_RESTORE rsp +@@ -353,7 +361,7 @@ cstar_tracesys: + #endif + xchgl %r9d,%ebp + SAVE_REST +- CLEAR_RREGS r9 ++ CLEAR_RREGS 0, r9 + movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +@@ -425,6 +433,8 @@ ia32_do_call: + call *ia32_sys_call_table(,%rax,8) # xxx: rip relative + ia32_sysret: + movq %rax,RAX-ARGOFFSET(%rsp) ++ia32_ret_from_sys_call: ++ CLEAR_RREGS -ARGOFFSET + jmp int_ret_from_sys_call + + ia32_tracesys: +@@ -442,8 +452,8 @@ END(ia32_syscall) + + ia32_badsys: + movq $0,ORIG_RAX-ARGOFFSET(%rsp) +- movq $-ENOSYS,RAX-ARGOFFSET(%rsp) +- jmp int_ret_from_sys_call ++ movq $-ENOSYS,%rax ++ jmp ia32_sysret + + quiet_ni_syscall: + movq $-ENOSYS,%rax + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:34 2009 +Message-Id: <20091009232233.941048286@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:27 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Serge Hallyn , + Dave Kleikamp , + ecryptfs-devel@lists.launchpad.net, + Tyler Hicks , + Chuck Ebbert +Subject: [4/8] eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908) +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch +Content-Length: 1844 +Lines: 55 + + +From: Tyler Hicks + +commit 9c2d2056647790c5034d722bd24e9d913ebca73c upstream. + +When calling vfs_unlink() on the lower dentry, d_delete() turns the +dentry into a negative dentry when the d_count is 1. This eventually +caused a NULL pointer deref when a read() or write() was done and the +negative dentry's d_inode was dereferenced in +ecryptfs_read_update_atime() or ecryptfs_getxattr(). + +Placing mutt's tmpdir in an eCryptfs mount is what initially triggered +the oops and I was able to reproduce it with the following sequence: + +open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3 +link("/tmp/upper/foo", "/tmp/upper/bar") = 0 +unlink("/tmp/upper/foo") = 0 +open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4 +unlink("/tmp/upper/bar") = 0 +write(4, "eCryptfs test\n"..., 14 ++++ killed by SIGKILL +++ + +https://bugs.launchpad.net/ecryptfs/+bug/387073 + +Reported-by: Loïc Minier +Cc: Serge Hallyn +Cc: Dave Kleikamp +Cc: ecryptfs-devel@lists.launchpad.net +Signed-off-by: Tyler Hicks +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -443,6 +443,7 @@ static int ecryptfs_unlink(struct inode + struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir); + struct dentry *lower_dir_dentry; + ++ dget(lower_dentry); + lower_dir_dentry = lock_parent(lower_dentry); + rc = vfs_unlink(lower_dir_inode, lower_dentry); + if (rc) { +@@ -456,6 +457,7 @@ static int ecryptfs_unlink(struct inode + d_drop(dentry); + out_unlock: + unlock_dir(lower_dir_dentry); ++ dput(lower_dentry); + return rc; + } + + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:34 2009 +Message-Id: <20091009232234.069019937@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:28 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Michal Hocko , + Jiri Kosina , + "H. Peter Anvin" , + Chuck Ebbert +Subject: [5/8] x86: Increase MIN_GAP to include randomized stack +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=x86-increase-min_gap-to-include-randomized-stack.patch +Content-Length: 2075 +Lines: 73 + +From: Michal Hocko + +[ trivial backport to 2.6.27: Chuck Ebbert ] + +commit 80938332d8cf652f6b16e0788cf0ca136befe0b5 upstream. + +Currently we are not including randomized stack size when calculating +mmap_base address in arch_pick_mmap_layout for topdown case. This might +cause that mmap_base starts in the stack reserved area because stack is +randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB. + +If the stack really grows down to mmap_base then we can get silent mmap +region overwrite by the stack values. + +Let's include maximum stack randomization size into MIN_GAP which is +used as the low bound for the gap in mmap. + +Signed-off-by: Michal Hocko +LKML-Reference: <1252400515-6866-1-git-send-email-mhocko@suse.cz> +Acked-by: Jiri Kosina +Signed-off-by: H. Peter Anvin +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/x86/mm/mmap.c | 17 +++++++++++++++-- + include/asm-x86/elf.h | 2 ++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -29,13 +29,26 @@ + #include + #include + #include ++#include ++ ++static unsigned int stack_maxrandom_size(void) ++{ ++ unsigned int max = 0; ++ if ((current->flags & PF_RANDOMIZE) && ++ !(current->personality & ADDR_NO_RANDOMIZE)) { ++ max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; ++ } ++ ++ return max; ++} ++ + + /* + * Top of mmap area (just below the process stack). + * +- * Leave an at least ~128 MB hole. ++ * Leave an at least ~128 MB hole with possible stack randomization. + */ +-#define MIN_GAP (128*1024*1024) ++#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size()) + #define MAX_GAP (TASK_SIZE/6*5) + + /* +--- a/include/asm-x86/elf.h ++++ b/include/asm-x86/elf.h +@@ -287,6 +287,8 @@ do { \ + + #ifdef CONFIG_X86_32 + ++#define STACK_RND_MASK (0x7ff) ++ + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO)) + + #define ARCH_DLINFO ARCH_DLINFO_IA32(vdso_enabled) + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:34 2009 +Message-Id: <20091009232234.187547993@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:29 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jan Kiszka , + Avi Kivity , + Chuck Ebbert +Subject: [6/8] KVM: x86: Disallow hypercalls for guest callers in rings > 0 [CVE-2009-3290] +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch +Content-Length: 1652 +Lines: 59 + + +From: Jan Kiszka + +[ backport to 2.6.27 by Chuck Ebbert ] + +commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream. + +So far unprivileged guest callers running in ring 3 can issue, e.g., MMU +hypercalls. Normally, such callers cannot provide any hand-crafted MMU +command structure as it has to be passed by its physical address, but +they can still crash the guest kernel by passing random addresses. + +To close the hole, this patch considers hypercalls valid only if issued +from guest ring 0. This may still be relaxed on a per-hypercall base in +the future once required. + +Signed-off-by: Jan Kiszka +Signed-off-by: Avi Kivity +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 6 ++++++ + include/linux/kvm_para.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2571,6 +2571,11 @@ int kvm_emulate_hypercall(struct kvm_vcp + a3 &= 0xFFFFFFFF; + } + ++ if (kvm_x86_ops->get_cpl(vcpu) != 0) { ++ ret = -KVM_EPERM; ++ goto out; ++ } ++ + switch (nr) { + case KVM_HC_VAPIC_POLL_IRQ: + ret = 0; +@@ -2582,6 +2587,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } ++out: + vcpu->arch.regs[VCPU_REGS_RAX] = ret; + kvm_x86_ops->decache_regs(vcpu); + ++vcpu->stat.hypercalls; +--- a/include/linux/kvm_para.h ++++ b/include/linux/kvm_para.h +@@ -13,6 +13,7 @@ + #define KVM_ENOSYS 1000 + #define KVM_EFAULT EFAULT + #define KVM_E2BIG E2BIG ++#define KVM_EPERM EPERM + + #define KVM_HC_VAPIC_POLL_IRQ 1 + #define KVM_HC_MMU_OP 2 + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:34 2009 +Message-Id: <20091009232234.333042452@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:30 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Thomas Mingarelli , + Wim Van Sebroeck +Subject: [7/8] [WATCHDOG] hpwdt.c: Add new HP BMC controller. +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=hpwdt.c-add-new-hp-bmc-controller.patch +Content-Length: 1810 +Lines: 62 + +From: Thomas Mingarelli + +commit d8100c3abfd32986a8820ce4e614b0223a2d22a9 upstream. + +Add the PCI-ID for the upcoming new BMC controller for HP hardware. + +Signed-off-by: Thomas Mingarelli +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/hpwdt.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -47,6 +47,7 @@ + #define PCI_BIOS32_PARAGRAPH_LEN 16 + #define PCI_ROM_BASE1 0x000F0000 + #define ROM_SIZE 0x10000 ++#define HPWDT_VERSION "1.01" + + struct bios32_service_dir { + u32 signature; +@@ -130,12 +131,8 @@ static void *cru_rom_addr; + static struct cmn_registers cmn_regs; + + static struct pci_device_id hpwdt_devices[] = { +- { +- .vendor = PCI_VENDOR_ID_COMPAQ, +- .device = 0xB203, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- }, ++ { PCI_DEVICE(PCI_VENDOR_ID_COMPAQ, 0xB203) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_HP, 0x3306) }, + {0}, /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci, hpwdt_devices); +@@ -704,10 +701,11 @@ static int __devinit hpwdt_init_one(stru + } + + printk(KERN_INFO +- "hp Watchdog Timer Driver: 1.00" ++ "hp Watchdog Timer Driver: %s" + ", timer margin: %d seconds (nowayout=%d)" + ", allow kernel dump: %s (default = 0/OFF).\n", +- soft_margin, nowayout, (allow_kdump == 0) ? "OFF" : "ON"); ++ HPWDT_VERSION, soft_margin, nowayout, ++ (allow_kdump == 0) ? "OFF" : "ON"); + + return 0; + +@@ -757,6 +755,7 @@ static int __init hpwdt_init(void) + MODULE_AUTHOR("Tom Mingarelli"); + MODULE_DESCRIPTION("hp watchdog driver"); + MODULE_LICENSE("GPL"); ++MODULE_VERSION(HPWDT_VERSION); + MODULE_ALIAS_MISCDEV(WATCHDOG_MINOR); + + module_param(soft_margin, int, 0); + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:34 2009 +Message-Id: <20091009232234.419680073@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:31 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + John Stultz , + Yanmin Zhang , + Ingo Molnar +Subject: [8/8] time: catch xtime_nsec underflows and fix them +From: gregkh@mini.kroah.org +References: <20091009232123.464253035@mini.kroah.org> +Content-Disposition: inline; filename=time-catch-xtime_nsec-underflows-and-fix-them.patch +Content-Length: 4070 +Lines: 99 + +From: john stultz + +commit 6c9bacb41c10ba84ff68f238e234d96f35fb64f7 upstream. + +Impact: fix time warp bug + +Alex Shi, along with Yanmin Zhang have been noticing occasional time +inconsistencies recently. Through their great diagnosis, they found that +the xtime_nsec value used in update_wall_time was occasionally going +negative. After looking through the code for awhile, I realized we have +the possibility for an underflow when three conditions are met in +update_wall_time(): + + 1) We have accumulated a second's worth of nanoseconds, so we + incremented xtime.tv_sec and appropriately decrement xtime_nsec. + (This doesn't cause xtime_nsec to go negative, but it can cause it + to be small). + + 2) The remaining offset value is large, but just slightly less then + cycle_interval. + + 3) clocksource_adjust() is speeding up the clock, causing a + corrective amount (compensating for the increase in the multiplier + being multiplied against the unaccumulated offset value) to be + subtracted from xtime_nsec. + +This can cause xtime_nsec to underflow. + +Unfortunately, since we notify the NTP subsystem via second_overflow() +whenever we accumulate a full second, and this effects the error +accumulation that has already occured, we cannot simply revert the +accumulated second from xtime nor move the second accumulation to after +the clocksource_adjust call without a change in behavior. + +This leaves us with (at least) two options: + +1) Simply return from clocksource_adjust() without making a change if we + notice the adjustment would cause xtime_nsec to go negative. + +This would work, but I'm concerned that if a large adjustment was needed +(due to the error being large), it may be possible to get stuck with an +ever increasing error that becomes too large to correct (since it may +always force xtime_nsec negative). This may just be paranoia on my part. + +2) Catch xtime_nsec if it is negative, then add back the amount its + negative to both xtime_nsec and the error. + +This second method is consistent with how we've handled earlier rounding +issues, and also has the benefit that the error being added is always in +the oposite direction also always equal or smaller then the correction +being applied. So the risk of a corner case where things get out of +control is lessened. + +This patch fixes bug 11970, as tested by Yanmin Zhang +http://bugzilla.kernel.org/show_bug.cgi?id=11970 + +Reported-by: alex.shi@intel.com +Signed-off-by: John Stultz +Acked-by: Yanmin Zhang +Tested-by: Yanmin Zhang +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -477,6 +477,28 @@ void update_wall_time(void) + /* correct the clock when NTP error is too big */ + clocksource_adjust(offset); + ++ /* ++ * Since in the loop above, we accumulate any amount of time ++ * in xtime_nsec over a second into xtime.tv_sec, its possible for ++ * xtime_nsec to be fairly small after the loop. Further, if we're ++ * slightly speeding the clocksource up in clocksource_adjust(), ++ * its possible the required corrective factor to xtime_nsec could ++ * cause it to underflow. ++ * ++ * Now, we cannot simply roll the accumulated second back, since ++ * the NTP subsystem has been notified via second_overflow. So ++ * instead we push xtime_nsec forward by the amount we underflowed, ++ * and add that amount into the error. ++ * ++ * We'll correct this error next time through this function, when ++ * xtime_nsec is not as small. ++ */ ++ if (unlikely((s64)clock->xtime_nsec < 0)) { ++ s64 neg = -(s64)clock->xtime_nsec; ++ clock->xtime_nsec = 0; ++ clock->error += neg << (NTP_SCALE_SHIFT - clock->shift); ++ } ++ + /* store full nanoseconds into xtime */ + xtime.tv_nsec = (s64)clock->xtime_nsec >> clock->shift; + clock->xtime_nsec -= (s64)xtime.tv_nsec << clock->shift; + + +From gregkh@mini.kroah.org Fri Oct 9 16:22:33 2009 +Message-Id: <20091009232123.464253035@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 09 Oct 2009 16:21:23 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [0/8] 2.6.27.37-stable review +From: gregkh@mini.kroah.org +Status: RO +Content-Length: 1161 +Lines: 29 + +This is the start of the stable review cycle for the 2.6.27.37 release. +There are 8 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +Responses should be made by Sunday October 11, 23:00:00 UTC. Anything +received after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.27.37-rc1.gz +and the diffstat can be found below. + + +thanks, + +greg k-h + + Makefile | 2 +- + arch/x86/ia32/ia32entry.S | 56 +++++++++++++++++++++++-------------------- + arch/x86/kvm/x86.c | 6 ++++ + arch/x86/mm/mmap.c | 17 +++++++++++- + drivers/net/iseries_veth.c | 2 +- + drivers/watchdog/hpwdt.c | 15 +++++------ + fs/ecryptfs/inode.c | 2 + + include/asm-x86/elf.h | 2 + + include/linux/kvm_para.h | 1 + + kernel/time/timekeeping.c | 22 +++++++++++++++++ + 10 files changed, 87 insertions(+), 38 deletions(-) + diff --git a/queue-2.6.27/net-fix-wrong-sizeof.patch b/review-2.6.27/net-fix-wrong-sizeof.patch similarity index 100% rename from queue-2.6.27/net-fix-wrong-sizeof.patch rename to review-2.6.27/net-fix-wrong-sizeof.patch diff --git a/queue-2.6.27/series b/review-2.6.27/series similarity index 100% rename from queue-2.6.27/series rename to review-2.6.27/series diff --git a/queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch b/review-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch similarity index 97% rename from queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch rename to review-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch index e0d433ce218..29c9d298874 100644 --- a/queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch +++ b/review-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch @@ -61,8 +61,8 @@ http://bugzilla.kernel.org/show_bug.cgi?id=11970 Reported-by: alex.shi@intel.com Signed-off-by: John Stultz -Acked-by: "Zhang, Yanmin" -Tested-by: "Zhang, Yanmin" +Acked-by: Yanmin Zhang +Tested-by: Yanmin Zhang Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman diff --git a/queue-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch b/review-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch similarity index 100% rename from queue-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch rename to review-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch diff --git a/queue-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch b/review-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch similarity index 100% rename from queue-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch rename to review-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch diff --git a/queue-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch b/review-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch similarity index 100% rename from queue-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch rename to review-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch