From: Greg Kroah-Hartman Date: Fri, 11 Sep 2009 00:27:46 +0000 (-0700) Subject: start 2.6.30.7 review cycle X-Git-Tag: v2.6.27.34~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9135325caa823f14c61b3bfea8124854c10b05e;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.30.7 review cycle --- diff --git a/queue-2.6.30/dccp-missing-destroy-of-percpu-counter-variable-while-unload-module.patch b/review-2.6.30/dccp-missing-destroy-of-percpu-counter-variable-while-unload-module.patch similarity index 100% rename from queue-2.6.30/dccp-missing-destroy-of-percpu-counter-variable-while-unload-module.patch rename to review-2.6.30/dccp-missing-destroy-of-percpu-counter-variable-while-unload-module.patch diff --git a/queue-2.6.30/dm-exception-store-split-set_chunk_size.patch b/review-2.6.30/dm-exception-store-split-set_chunk_size.patch similarity index 100% rename from queue-2.6.30/dm-exception-store-split-set_chunk_size.patch rename to review-2.6.30/dm-exception-store-split-set_chunk_size.patch diff --git a/queue-2.6.30/dm-raid1-do-not-allow-log_failure-variable-to-unset-after-being-set.patch b/review-2.6.30/dm-raid1-do-not-allow-log_failure-variable-to-unset-after-being-set.patch similarity index 100% rename from queue-2.6.30/dm-raid1-do-not-allow-log_failure-variable-to-unset-after-being-set.patch rename to review-2.6.30/dm-raid1-do-not-allow-log_failure-variable-to-unset-after-being-set.patch diff --git a/queue-2.6.30/dm-snapshot-fix-header-corruption-race-on-invalidation.patch b/review-2.6.30/dm-snapshot-fix-header-corruption-race-on-invalidation.patch similarity index 100% rename from queue-2.6.30/dm-snapshot-fix-header-corruption-race-on-invalidation.patch rename to review-2.6.30/dm-snapshot-fix-header-corruption-race-on-invalidation.patch diff --git a/queue-2.6.30/dm-snapshot-fix-on-disk-chunk-size-validation.patch b/review-2.6.30/dm-snapshot-fix-on-disk-chunk-size-validation.patch similarity index 100% rename from queue-2.6.30/dm-snapshot-fix-on-disk-chunk-size-validation.patch rename to review-2.6.30/dm-snapshot-fix-on-disk-chunk-size-validation.patch diff --git a/queue-2.6.30/dm-snapshot-refactor-zero_disk_area-to-use-chunk_io.patch b/review-2.6.30/dm-snapshot-refactor-zero_disk_area-to-use-chunk_io.patch similarity index 100% rename from queue-2.6.30/dm-snapshot-refactor-zero_disk_area-to-use-chunk_io.patch rename to review-2.6.30/dm-snapshot-refactor-zero_disk_area-to-use-chunk_io.patch diff --git a/queue-2.6.30/e100-fix-interaction-with-swiotlb-on-x86.patch b/review-2.6.30/e100-fix-interaction-with-swiotlb-on-x86.patch similarity index 100% rename from queue-2.6.30/e100-fix-interaction-with-swiotlb-on-x86.patch rename to review-2.6.30/e100-fix-interaction-with-swiotlb-on-x86.patch diff --git a/queue-2.6.30/gre-fix-mtu-calculation-for-bound-gre-tunnels.patch b/review-2.6.30/gre-fix-mtu-calculation-for-bound-gre-tunnels.patch similarity index 100% rename from queue-2.6.30/gre-fix-mtu-calculation-for-bound-gre-tunnels.patch rename to review-2.6.30/gre-fix-mtu-calculation-for-bound-gre-tunnels.patch diff --git a/queue-2.6.30/jffs2-add-missing-verify-buffer-allocation-deallocation.patch b/review-2.6.30/jffs2-add-missing-verify-buffer-allocation-deallocation.patch similarity index 100% rename from queue-2.6.30/jffs2-add-missing-verify-buffer-allocation-deallocation.patch rename to review-2.6.30/jffs2-add-missing-verify-buffer-allocation-deallocation.patch diff --git a/review-2.6.30/mbox b/review-2.6.30/mbox new file mode 100644 index 00000000000..ccba81f3f56 --- /dev/null +++ b/review-2.6.30/mbox @@ -0,0 +1,2169 @@ +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.099894354@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:47 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Wei Yongjun , + Eric Dumazet , + "David S. Miller" +Subject: [patch 01/22] dccp: missing destroy of percpu counter variable while unload module +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dccp-missing-destroy-of-percpu-counter-variable-while-unload-module.patch +Content-Length: 1799 +Lines: 53 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Wei Yongjun + +[ Upstream commit 476181cb05c6a3aea3ef42309388e255c934a06f ] + +percpu counter dccp_orphan_count is init in dccp_init() by +percpu_counter_init() while dccp module is loaded, but the +destroy of it is missing while dccp module is unloaded. We +can get the kernel WARNING about this. Reproduct by the +following commands: + + $ modprobe dccp + $ rmmod dccp + $ modprobe dccp + +WARNING: at lib/list_debug.c:26 __list_add+0x27/0x5c() +Hardware name: VMware Virtual Platform +list_add corruption. next->prev should be prev (c080c0c4), but was (null). (next +=ca7188cc). +Modules linked in: dccp(+) nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc +Pid: 1956, comm: modprobe Not tainted 2.6.31-rc5 #55 +Call Trace: + [] warn_slowpath_common+0x6a/0x81 + [] ? __list_add+0x27/0x5c + [] warn_slowpath_fmt+0x29/0x2c + [] __list_add+0x27/0x5c + [] __percpu_counter_init+0x4d/0x5d + [] dccp_init+0x19/0x2ed [dccp] + [] do_one_initcall+0x4f/0x111 + [] ? dccp_init+0x0/0x2ed [dccp] + [] ? notifier_call_chain+0x26/0x48 + [] ? __blocking_notifier_call_chain+0x45/0x51 + [] sys_init_module+0xac/0x1bd + [] sysenter_do_call+0x12/0x22 + +Signed-off-by: Wei Yongjun +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/proto.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -1159,6 +1159,7 @@ static void __exit dccp_fini(void) + kmem_cache_destroy(dccp_hashinfo.bind_bucket_cachep); + dccp_ackvec_exit(); + dccp_sysctl_exit(); ++ percpu_counter_destroy(&dccp_orphan_count); + } + + module_init(dccp_init); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.235687801@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:48 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + =?ISO-8859-15?q?Krzysztof=20Ha=C5=82asa?= , + "David S. Miller" +Subject: [patch 02/22] E100: fix interaction with swiotlb on X86. +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=e100-fix-interaction-with-swiotlb-on-x86.patch +Content-Length: 1527 +Lines: 38 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Krzysztof Hałasa + +[ Upstream commit 6ff9c2e7fa8ca63a575792534b63c5092099c286 ] + +E100 places it's RX packet descriptors inside skb->data and uses them +with bidirectional streaming DMA mapping. Data in descriptors is +accessed simultaneously by the chip (writing status and size when +a packet is received) and CPU (reading to check if the packet was +received). This isn't a valid usage of PCI DMA API, which requires use +of the coherent (consistent) memory for such purpose. Unfortunately e100 +chips working in "simplified" RX mode have to store received data +directly after the descriptor. Fixing the driver to conform to the API +would require using unsupported "flexible" RX mode or receiving data +into a coherent memory and using CPU to copy it to network buffers. + +This patch, while not yet making the driver conform to the PCI DMA API, +allows it to work correctly on X86 with swiotlb (while not breaking +other architectures). + +Signed-off-by: Krzysztof Hałasa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/e100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/e100.c ++++ b/drivers/net/e100.c +@@ -1764,7 +1764,7 @@ static int e100_rx_indicate(struct nic * + nic->ru_running = RU_SUSPENDED; + pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr, + sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ PCI_DMA_FROMDEVICE); + return -ENODATA; + } + + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.373226576@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:49 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tom Goff , + "David S. Miller" +Subject: [patch 03/22] gre: Fix MTU calculation for bound GRE tunnels +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=gre-fix-mtu-calculation-for-bound-gre-tunnels.patch +Content-Length: 865 +Lines: 28 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Tom Goff + +[ Upstream commit 8cdb045632e5ee22854538619ac6f150eb0a4894 ] + +The GRE header length should be subtracted when the tunnel MTU is +calculated. This just corrects for the associativity change +introduced by commit 42aa916265d740d66ac1f17290366e9494c884c2 +("gre: Move MTU setting out of ipgre_tunnel_bind_dev"). + +Signed-off-by: Tom Goff +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -952,7 +952,7 @@ static int ipgre_tunnel_bind_dev(struct + addend += 4; + } + dev->needed_headroom = addend + hlen; +- mtu -= dev->hard_header_len - addend; ++ mtu -= dev->hard_header_len + addend; + + if (mtu < 68) + mtu = 68; + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.524280560@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:50 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ben McKeegan , + "David S. Miller" +Subject: [patch 04/22] ppp: fix lost fragments in ppp_mp_explode() (resubmit) +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=ppp-fix-lost-fragments-in-ppp_mp_explode.patch +Content-Length: 3133 +Lines: 101 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Ben McKeegan + +[ Upstream commit a53a8b56827cc429c6d9f861ad558beeb5f6103f ] + +This patch fixes the corner cases where the sum of MTU of the free +channels (adjusted for fragmentation overheads) is less than the MTU +of PPP link. There are at least 3 situations where this case might +arise: + +- some of the channels are busy + +- the multilink session is running in a degraded state (i.e. with less +than its full complement of active channels) + +- by design, where multilink protocol is being used to artificially +increase the effective link MTU of a single link. + +Without this patch, at most 1 fragment is ever sent per free channel +for a given PPP frame and any remaining part of the PPP frame that +does not fit into those fragments is silently discarded. + +This patch restores the original behaviour which was broken by commit +9c705260feea6ae329bc6b6d5f6d2ef0227eda0a 'ppp:ppp_mp_explode() +redesign'. Once all 'free' channels have been given a fragment, an +additional fragment is queued to each available channel in turn, as many +times as necessary, until the entire PPP frame has been consumed. + +Signed-off-by: Ben McKeegan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp_generic.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/net/ppp_generic.c ++++ b/drivers/net/ppp_generic.c +@@ -1383,7 +1383,7 @@ static int ppp_mp_explode(struct ppp *pp + + /* create a fragment for each channel */ + bits = B; +- while (nfree > 0 && len > 0) { ++ while (len > 0) { + list = list->next; + if (list == &ppp->channels) { + i = 0; +@@ -1430,29 +1430,31 @@ static int ppp_mp_explode(struct ppp *pp + *otherwise divide it according to the speed + *of the channel we are going to transmit on + */ +- if (pch->speed == 0) { +- flen = totlen/nfree ; +- if (nbigger > 0) { +- flen++; +- nbigger--; +- } +- } else { +- flen = (((totfree - nzero)*(totlen + hdrlen*totfree)) / +- ((totspeed*totfree)/pch->speed)) - hdrlen; +- if (nbigger > 0) { +- flen += ((totfree - nzero)*pch->speed)/totspeed; +- nbigger -= ((totfree - nzero)*pch->speed)/ ++ if (nfree > 0) { ++ if (pch->speed == 0) { ++ flen = totlen/nfree ; ++ if (nbigger > 0) { ++ flen++; ++ nbigger--; ++ } ++ } else { ++ flen = (((totfree - nzero)*(totlen + hdrlen*totfree)) / ++ ((totspeed*totfree)/pch->speed)) - hdrlen; ++ if (nbigger > 0) { ++ flen += ((totfree - nzero)*pch->speed)/totspeed; ++ nbigger -= ((totfree - nzero)*pch->speed)/ + totspeed; ++ } + } ++ nfree--; + } +- nfree--; + + /* + *check if we are on the last channel or + *we exceded the lenght of the data to + *fragment + */ +- if ((nfree == 0) || (flen > len)) ++ if ((nfree <= 0) || (flen > len)) + flen = len; + /* + *it is not worth to tx on slow channels: +@@ -1466,7 +1468,7 @@ static int ppp_mp_explode(struct ppp *pp + continue; + } + +- mtu = pch->chan->mtu + 2 - hdrlen; ++ mtu = pch->chan->mtu - hdrlen; + if (mtu < 4) + mtu = 4; + if (flen > mtu) + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.656912578@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:51 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Cyrill Gorcunov , + "David S. Miller" +Subject: [patch 05/22] pppol2tp: calls unregister_pernet_gen_device() at unload time +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=pppol2tp-calls-unregister_pernet_gen_device-at-unload-time.patch +Content-Length: 800 +Lines: 26 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +[ Upstream commit 446e72f30eca76d6f9a1a54adf84d2c6ba2831f8 ] + +Failure to call unregister_pernet_gen_device() can exhaust memory +if module is loaded/unloaded many times. + +Signed-off-by: Eric Dumazet +Acked-by: Cyrill Gorcunov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/pppol2tp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/pppol2tp.c ++++ b/drivers/net/pppol2tp.c +@@ -2682,6 +2682,7 @@ out_unregister_pppol2tp_proto: + static void __exit pppol2tp_exit(void) + { + unregister_pppox_proto(PX_PROTO_OL2TP); ++ unregister_pernet_gen_device(pppol2tp_net_id, &pppol2tp_net_ops); + proto_unregister(&pppol2tp_sk_proto); + } + + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002409.803547267@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:52 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + Pavel Emelyanov , + "David S. Miller" +Subject: [patch 06/22] net: net_assign_generic() fix +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=net-net_assign_generic-fix.patch +Content-Length: 830 +Lines: 27 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +[ Upstream commit 144586301f6af5ae5943a002f030d8c626fa4fdd ] + +memcpy() should take into account size of pointers, +not only number of pointers to copy. + +Signed-off-by: Eric Dumazet +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -498,7 +498,7 @@ int net_assign_generic(struct net *net, + */ + + ng->len = id; +- memcpy(&ng->ptr, &old_ng->ptr, old_ng->len); ++ memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*)); + + rcu_assign_pointer(net->gen, ng); + call_rcu(&old_ng->rcu, net_generic_release); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002409.986396768@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:53 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" +Subject: [patch 07/22] sparc64: Kill spurious NMI watchdog triggers by increasing limit to 30 seconds. +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sparc64-kill-spurious-nmi-watchdog-triggers-by-increasing-limit-to-30-seconds.patch +Content-Length: 2327 +Lines: 71 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David S. Miller + +[ Upstream commit e6617c6ec28a17cf2f90262b835ec05b9b861400 ] + +This is a compromise and a temporary workaround for bootup NMI +watchdog triggers some people see with qla2xxx devices present. + +This happens when, for example: + +CPU 0 is in the driver init and looping submitting mailbox commands to +load the firmware, then waiting for completion. + +CPU 1 is receiving the device interrupts. CPU 1 is where the NMI +watchdog triggers. + +CPU 0 is submitting mailbox commands fast enough that by the time CPU +1 returns from the device interrupt handler, a new one is pending. +This sequence runs for more than 5 seconds. + +The problematic case is CPU 1's timer interrupt running when the +barrage of device interrupts begin. Then we have: + + timer interrupt + return for softirq checking + pending, thus enable interrupts + + qla2xxx interrupt + return + qla2xxx interrupt + return + ... 5+ seconds pass + final qla2xxx interrupt for fw load + return + + run timer softirq + return + +At some point in the multi-second qla2xxx interrupt storm we trigger +the NMI watchdog on CPU 1 from the NMI interrupt handler. + +The timer softirq, once we get back to running it, is smart enough to +run the timer work enough times to make up for the missed timer +interrupts. + +However, the NMI watchdogs (both x86 and sparc) use the timer +interrupt count to notice the cpu is wedged. But in the above +scenerio we'll receive only one such timer interrupt even if we last +all the way back to running the timer softirq. + +The default watchdog trigger point is only 5 seconds, which is pretty +low (the softwatchdog triggers at 60 seconds). So increase it to 30 +seconds for now. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/nmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/nmi.c ++++ b/arch/sparc/kernel/nmi.c +@@ -103,7 +103,7 @@ notrace __kprobes void perfctr_irq(int i + } + if (!touched && __get_cpu_var(last_irq_sum) == sum) { + local_inc(&__get_cpu_var(alert_counter)); +- if (local_read(&__get_cpu_var(alert_counter)) == 5 * nmi_hz) ++ if (local_read(&__get_cpu_var(alert_counter)) == 30 * nmi_hz) + die_nmi("BUG: NMI Watchdog detected LOCKUP", + regs, panic_on_timeout); + } else { + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002410.161673663@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:54 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" +Subject: [patch 08/22] sparc64: Validate linear D-TLB misses. +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sparc64-validate-linear-d-tlb-misses.patch +Content-Length: 7747 +Lines: 236 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David S. Miller + +[ Upstream commit d8ed1d43e17898761c7221014a15a4c7501d2ff3 ] + +When page alloc debugging is not enabled, we essentially accept any +virtual address for linear kernel TLB misses. But with kgdb, kernel +address probing, and other facilities we can try to access arbitrary +crap. + +So, make sure the address we miss on will translate to physical memory +that actually exists. + +In order to make this work we have to embed the valid address bitmap +into the kernel image. And in order to make that less expensive we +make an adjustment, in that the max physical memory address is +decreased to "1 << 41", even on the chips that support a 42-bit +physical address space. We can do this because bit 41 indicates +"I/O space" and thus covers non-memory ranges. + +The result of this is that: + +1) kpte_linear_bitmap shrinks from 2K to 1K in size + +2) we need 64K more for the valid address bitmap + +We can't let the valid address bitmap be dynamically allocated +once we start using it to validate TLB misses, otherwise we have +crazy issues to deal with wrt. recursive TLB misses and such. + +If we're in a TLB miss it could be the deepest trap level that's legal +inside of the cpu. So if we TLB miss referencing the bitmap, the cpu +will be out of trap levels and enter RED state. + +To guard against out-of-range accesses to the bitmap, we have to check +to make sure no bits in the physical address above bit 40 are set. We +could export and use last_valid_pfn for this check, but that's just an +unnecessary extra memory reference. + +On the plus side of all this, since we load all of these translations +into the special 4MB mapping TSB, and we check the TSB first for TLB +misses, there should be absolutely no real cost for these new checks +in the TLB miss path. + +Reported-by: heyongli@gmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/pgtable_64.h | 12 +++++++--- + arch/sparc/kernel/ktlb.S | 42 +++++++++++++++++++++++++++++++---- + arch/sparc/mm/init_64.c | 43 ++++++++++++++++++++---------------- + arch/sparc/mm/init_64.h | 7 ++++- + 4 files changed, 76 insertions(+), 28 deletions(-) + +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -726,11 +726,17 @@ extern unsigned long pte_file(pte_t); + extern pte_t pgoff_to_pte(unsigned long); + #define PTE_FILE_MAX_BITS (64UL - PAGE_SHIFT - 1UL) + +-extern unsigned long *sparc64_valid_addr_bitmap; ++extern unsigned long sparc64_valid_addr_bitmap[]; + + /* Needs to be defined here and not in linux/mm.h, as it is arch dependent */ +-#define kern_addr_valid(addr) \ +- (test_bit(__pa((unsigned long)(addr))>>22, sparc64_valid_addr_bitmap)) ++static inline bool kern_addr_valid(unsigned long addr) ++{ ++ unsigned long paddr = __pa(addr); ++ ++ if ((paddr >> 41UL) != 0UL) ++ return false; ++ return test_bit(paddr >> 22, sparc64_valid_addr_bitmap); ++} + + extern int page_in_phys_avail(unsigned long paddr); + +--- a/arch/sparc/kernel/ktlb.S ++++ b/arch/sparc/kernel/ktlb.S +@@ -151,12 +151,46 @@ kvmap_dtlb_4v: + * Must preserve %g1 and %g6 (TAG). + */ + kvmap_dtlb_tsb4m_miss: +- sethi %hi(kpte_linear_bitmap), %g2 +- or %g2, %lo(kpte_linear_bitmap), %g2 ++ /* Clear the PAGE_OFFSET top virtual bits, shift ++ * down to get PFN, and make sure PFN is in range. ++ */ ++ sllx %g4, 21, %g5 + +- /* Clear the PAGE_OFFSET top virtual bits, then shift +- * down to get a 256MB physical address index. ++ /* Check to see if we know about valid memory at the 4MB ++ * chunk this physical address will reside within. + */ ++ srlx %g5, 21 + 41, %g2 ++ brnz,pn %g2, kvmap_dtlb_longpath ++ nop ++ ++ /* This unconditional branch and delay-slot nop gets patched ++ * by the sethi sequence once the bitmap is properly setup. ++ */ ++ .globl valid_addr_bitmap_insn ++valid_addr_bitmap_insn: ++ ba,pt %xcc, 2f ++ nop ++ .subsection 2 ++ .globl valid_addr_bitmap_patch ++valid_addr_bitmap_patch: ++ sethi %hi(sparc64_valid_addr_bitmap), %g7 ++ or %g7, %lo(sparc64_valid_addr_bitmap), %g7 ++ .previous ++ ++ srlx %g5, 21 + 22, %g2 ++ srlx %g2, 6, %g5 ++ and %g2, 63, %g2 ++ sllx %g5, 3, %g5 ++ ldx [%g7 + %g5], %g5 ++ mov 1, %g7 ++ sllx %g7, %g2, %g7 ++ andcc %g5, %g7, %g0 ++ be,pn %xcc, kvmap_dtlb_longpath ++ ++2: sethi %hi(kpte_linear_bitmap), %g2 ++ or %g2, %lo(kpte_linear_bitmap), %g2 ++ ++ /* Get the 256MB physical address index. */ + sllx %g4, 21, %g5 + mov 1, %g7 + srlx %g5, 21 + 28, %g5 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -145,7 +145,8 @@ static void __init read_obp_memory(const + cmp_p64, NULL); + } + +-unsigned long *sparc64_valid_addr_bitmap __read_mostly; ++unsigned long sparc64_valid_addr_bitmap[VALID_ADDR_BITMAP_BYTES / ++ sizeof(unsigned long)]; + EXPORT_SYMBOL(sparc64_valid_addr_bitmap); + + /* Kernel physical address base and size in bytes. */ +@@ -1876,7 +1877,7 @@ static int pavail_rescan_ents __initdata + * memory list again, and make sure it provides at least as much + * memory as 'pavail' does. + */ +-static void __init setup_valid_addr_bitmap_from_pavail(void) ++static void __init setup_valid_addr_bitmap_from_pavail(unsigned long *bitmap) + { + int i; + +@@ -1899,8 +1900,7 @@ static void __init setup_valid_addr_bitm + + if (new_start <= old_start && + new_end >= (old_start + PAGE_SIZE)) { +- set_bit(old_start >> 22, +- sparc64_valid_addr_bitmap); ++ set_bit(old_start >> 22, bitmap); + goto do_next_page; + } + } +@@ -1921,20 +1921,21 @@ static void __init setup_valid_addr_bitm + } + } + ++static void __init patch_tlb_miss_handler_bitmap(void) ++{ ++ extern unsigned int valid_addr_bitmap_insn[]; ++ extern unsigned int valid_addr_bitmap_patch[]; ++ ++ valid_addr_bitmap_insn[1] = valid_addr_bitmap_patch[1]; ++ mb(); ++ valid_addr_bitmap_insn[0] = valid_addr_bitmap_patch[0]; ++ flushi(&valid_addr_bitmap_insn[0]); ++} ++ + void __init mem_init(void) + { + unsigned long codepages, datapages, initpages; + unsigned long addr, last; +- int i; +- +- i = last_valid_pfn >> ((22 - PAGE_SHIFT) + 6); +- i += 1; +- sparc64_valid_addr_bitmap = (unsigned long *) alloc_bootmem(i << 3); +- if (sparc64_valid_addr_bitmap == NULL) { +- prom_printf("mem_init: Cannot alloc valid_addr_bitmap.\n"); +- prom_halt(); +- } +- memset(sparc64_valid_addr_bitmap, 0, i << 3); + + addr = PAGE_OFFSET + kern_base; + last = PAGE_ALIGN(kern_size) + addr; +@@ -1943,15 +1944,19 @@ void __init mem_init(void) + addr += PAGE_SIZE; + } + +- setup_valid_addr_bitmap_from_pavail(); ++ setup_valid_addr_bitmap_from_pavail(sparc64_valid_addr_bitmap); ++ patch_tlb_miss_handler_bitmap(); + + high_memory = __va(last_valid_pfn << PAGE_SHIFT); + + #ifdef CONFIG_NEED_MULTIPLE_NODES +- for_each_online_node(i) { +- if (NODE_DATA(i)->node_spanned_pages != 0) { +- totalram_pages += +- free_all_bootmem_node(NODE_DATA(i)); ++ { ++ int i; ++ for_each_online_node(i) { ++ if (NODE_DATA(i)->node_spanned_pages != 0) { ++ totalram_pages += ++ free_all_bootmem_node(NODE_DATA(i)); ++ } + } + } + #else +--- a/arch/sparc/mm/init_64.h ++++ b/arch/sparc/mm/init_64.h +@@ -5,10 +5,13 @@ + * marked non-static so that assembler code can get at them. + */ + +-#define MAX_PHYS_ADDRESS (1UL << 42UL) +-#define KPTE_BITMAP_CHUNK_SZ (256UL * 1024UL * 1024UL) ++#define MAX_PHYS_ADDRESS (1UL << 41UL) ++#define KPTE_BITMAP_CHUNK_SZ (256UL * 1024UL * 1024UL) + #define KPTE_BITMAP_BYTES \ + ((MAX_PHYS_ADDRESS / KPTE_BITMAP_CHUNK_SZ) / 8) ++#define VALID_ADDR_BITMAP_CHUNK_SZ (4UL * 1024UL * 1024UL) ++#define VALID_ADDR_BITMAP_BYTES \ ++ ((MAX_PHYS_ADDRESS / VALID_ADDR_BITMAP_CHUNK_SZ) / 8) + + extern unsigned long kern_linear_pte_xor[2]; + extern unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002410.310962876@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:55 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + "David S. Miller" +Subject: [patch 09/22] sparc64: Fix bootup with mcount in some configs. +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sparc64-fix-bootup-with-mcount-in-some-configs.patch +Content-Length: 2493 +Lines: 81 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David S. Miller + +[ Upstream commit bd4352cadfacb9084c97c853b025fac010266c26 ] + +Functions invoked early when booting up a cpu can't use +tracing because mcount requires a valid 'current_thread_info()' +and TLB mappings to be setup. + +The code path of sun4v_register_mondo_queues --> register_one_mondo +is one such case. sun4v_register_mondo_queues already has the +necessary 'notrace' annotation, but register_one_mondo does not. + +Normally register_one_mondo is inlined so the bug doesn't trigger, +but with some config/compiler combinations, it won't be so we +must properly mark it notrace. + +While we're here, add 'notrace' annoations to prom_printf and +prom_halt so that early error handling won't have the same problem. + +Reported-by: Alexander Beregalov +Reported-by: Leif Sawyer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/irq_64.c | 2 +- + arch/sparc/prom/misc_64.c | 2 +- + arch/sparc/prom/printf.c | 7 +++---- + 3 files changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/sparc/kernel/irq_64.c ++++ b/arch/sparc/kernel/irq_64.c +@@ -902,7 +902,7 @@ void notrace init_irqwork_curcpu(void) + * Therefore you cannot make any OBP calls, not even prom_printf, + * from these two routines. + */ +-static void __cpuinit register_one_mondo(unsigned long paddr, unsigned long type, unsigned long qmask) ++static void __cpuinit notrace register_one_mondo(unsigned long paddr, unsigned long type, unsigned long qmask) + { + unsigned long num_entries = (qmask + 1) / 64; + unsigned long status; +--- a/arch/sparc/prom/misc_64.c ++++ b/arch/sparc/prom/misc_64.c +@@ -88,7 +88,7 @@ void prom_cmdline(void) + /* Drop into the prom, but completely terminate the program. + * No chance of continuing. + */ +-void prom_halt(void) ++void notrace prom_halt(void) + { + #ifdef CONFIG_SUN_LDOMS + if (ldom_domaining_enabled) +--- a/arch/sparc/prom/printf.c ++++ b/arch/sparc/prom/printf.c +@@ -14,14 +14,14 @@ + */ + + #include ++#include + + #include + #include + + static char ppbuf[1024]; + +-void +-prom_write(const char *buf, unsigned int n) ++void notrace prom_write(const char *buf, unsigned int n) + { + char ch; + +@@ -33,8 +33,7 @@ prom_write(const char *buf, unsigned int + } + } + +-void +-prom_printf(const char *fmt, ...) ++void notrace prom_printf(const char *fmt, ...) + { + va_list args; + int i; + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002410.490751860@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:56 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mathieu Desnoyers , + "David S. Miller" +Subject: [patch 10/22] sparc: sys32.S incorrect compat-layer splice() system call +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sparc-sys32.s-incorrect-compat-layer-splice-system-call.patch +Content-Length: 1243 +Lines: 36 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Mathieu Desnoyers + +[ Upstream commit e2c6cbd9ace61039d3de39e717195e38f1492aee ] + +I think arch/sparc/kernel/sys32.S has an incorrect splice definition: + +SIGN2(sys32_splice, sys_splice, %o0, %o1) + +The splice() prototype looks like : + + long splice(int fd_in, loff_t *off_in, int fd_out, + loff_t *off_out, size_t len, unsigned int flags); + +So I think we should have : + +SIGN2(sys32_splice, sys_splice, %o0, %o2) + +Signed-off-by: Mathieu Desnoyers +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/sys32.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/sys32.S ++++ b/arch/sparc/kernel/sys32.S +@@ -134,7 +134,7 @@ SIGN1(sys32_getpeername, sys_getpeername + SIGN1(sys32_getsockname, sys_getsockname, %o0) + SIGN2(sys32_ioprio_get, sys_ioprio_get, %o0, %o1) + SIGN3(sys32_ioprio_set, sys_ioprio_set, %o0, %o1, %o2) +-SIGN2(sys32_splice, sys_splice, %o0, %o1) ++SIGN2(sys32_splice, sys_splice, %o0, %o2) + SIGN2(sys32_sync_file_range, compat_sync_file_range, %o0, %o5) + SIGN2(sys32_tee, sys_tee, %o0, %o1) + SIGN1(sys32_vmsplice, compat_sys_vmsplice, %o0) + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002410.660886830@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:57 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Massimo Cirillo , + Artem Bityutskiy , + David Woodhouse +Subject: [patch 11/22] JFFS2: add missing verify buffer allocation/deallocation +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=jffs2-add-missing-verify-buffer-allocation-deallocation.patch +Content-Length: 1287 +Lines: 45 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Massimo Cirillo + +commit bc8cec0dff072f1a45ce7f6b2c5234bb3411ac51 upstream. + +The function jffs2_nor_wbuf_flash_setup() doesn't allocate the verify buffer +if CONFIG_JFFS2_FS_WBUF_VERIFY is defined, so causing a kernel panic when +that macro is enabled and the verify function is called. Similarly the +jffs2_nor_wbuf_flash_cleanup() must free the buffer if +CONFIG_JFFS2_FS_WBUF_VERIFY is enabled. +The following patch fixes the problem. +The following patch applies to 2.6.30 kernel. + +Signed-off-by: Massimo Cirillo +Signed-off-by: Artem Bityutskiy +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/wbuf.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/jffs2/wbuf.c ++++ b/fs/jffs2/wbuf.c +@@ -1268,10 +1268,20 @@ int jffs2_nor_wbuf_flash_setup(struct jf + if (!c->wbuf) + return -ENOMEM; + ++#ifdef CONFIG_JFFS2_FS_WBUF_VERIFY ++ c->wbuf_verify = kmalloc(c->wbuf_pagesize, GFP_KERNEL); ++ if (!c->wbuf_verify) { ++ kfree(c->wbuf); ++ return -ENOMEM; ++ } ++#endif + return 0; + } + + void jffs2_nor_wbuf_flash_cleanup(struct jffs2_sb_info *c) { ++#ifdef CONFIG_JFFS2_FS_WBUF_VERIFY ++ kfree(c->wbuf_verify); ++#endif + kfree(c->wbuf); + } + + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:10 2009 +Message-Id: <20090911002410.794447090@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:58 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Eric Dumazet , + "Paul E. McKenney" , + Pekka Enberg +Subject: [patch 12/22] slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=slub-fix-kmem_cache_destroy-with-slab_destroy_by_rcu.patch +Content-Length: 1275 +Lines: 42 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Eric Dumazet + +commit d76b1590e06a63a3d8697168cd0aabf1c4b3cb3a upstream. + +kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and +*before* sysfs_slab_remove() or risk rcu_free_slab() being called after +kmem_cache is deleted (kfreed). + +rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy() +a SLAB_DESTROY_BY_RCU enabled cache. + +Reported-by: Zdenek Kabelac +Signed-off-by: Eric Dumazet +Acked-by: Paul E. McKenney +Signed-off-by: Pekka Enberg +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2490,8 +2490,6 @@ static inline int kmem_cache_close(struc + */ + void kmem_cache_destroy(struct kmem_cache *s) + { +- if (s->flags & SLAB_DESTROY_BY_RCU) +- rcu_barrier(); + down_write(&slub_lock); + s->refcount--; + if (!s->refcount) { +@@ -2502,6 +2500,8 @@ void kmem_cache_destroy(struct kmem_cach + "still has objects.\n", s->name, __func__); + dump_stack(); + } ++ if (s->flags & SLAB_DESTROY_BY_RCU) ++ rcu_barrier(); + sysfs_slab_remove(s); + } else + up_write(&slub_lock); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002410.971758034@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:59 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ryusuke Konishi +Subject: [patch 13/22] nilfs2: fix preempt count underflow in nilfs_btnode_prepare_change_key +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=nilfs2-fix-preempt-count-underflow-in-nilfs_btnode_prepare_change_key.patch +Content-Length: 3658 +Lines: 73 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Ryusuke Konishi + +commit b1f1b8ce0a1d71cbc72f7540134d52b79bd8f5ac upstream. + +This will fix the following preempt count underflow reported from +users with the title "[NILFS users] segctord problem" (Message-ID: +<949415.6494.qm@web58808.mail.re1.yahoo.com> and Message-ID: +): + + WARNING: at kernel/sched.c:4890 sub_preempt_count+0x95/0xa0() + Hardware name: HP Compaq 6530b (KR980UT#ABC) + Modules linked in: bridge stp llc bnep rfcomm l2cap xfs exportfs nilfs2 cowloop loop vboxnetadp vboxnetflt vboxdrv btusb bluetooth uvcvideo videodev v4l1_compat v4l2_compat_ioctl32 arc4 snd_hda_codec_analog ecb iwlagn iwlcore rfkill lib80211 mac80211 snd_hda_intel snd_hda_codec ehci_hcd uhci_hcd usbcore snd_hwdep snd_pcm tg3 cfg80211 psmouse snd_timer joydev libphy ohci1394 snd_page_alloc hp_accel lis3lv02d ieee1394 led_class i915 drm i2c_algo_bit video backlight output i2c_core dm_crypt dm_mod + Pid: 4197, comm: segctord Not tainted 2.6.30-gentoo-r4-64 #7 + Call Trace: + [] ? sub_preempt_count+0x95/0xa0 + [] warn_slowpath_common+0x78/0xd0 + [] warn_slowpath_null+0xf/0x20 + [] sub_preempt_count+0x95/0xa0 + [] nilfs_btnode_prepare_change_key+0x11b/0x190 [nilfs2] + [] nilfs_btree_assign_p+0x19d/0x1e0 [nilfs2] + [] nilfs_btree_assign+0xbd/0x130 [nilfs2] + [] nilfs_bmap_assign+0x47/0x70 [nilfs2] + [] nilfs_segctor_do_construct+0x956/0x20f0 [nilfs2] + [] ? _spin_unlock_irqrestore+0x12/0x40 + [] ? __up_write+0xe0/0x150 + [] ? up_write+0x9/0x10 + [] ? nilfs_bmap_test_and_clear_dirty+0x43/0x60 [nilfs2] + [] ? nilfs_mdt_fetch_dirty+0x27/0x60 [nilfs2] + [] nilfs_segctor_construct+0x8c/0xd0 [nilfs2] + [] nilfs_segctor_thread+0x15c/0x3a0 [nilfs2] + [] ? nilfs_construction_timeout+0x0/0x10 [nilfs2] + [] ? add_timer+0x13/0x20 + [] ? __wake_up_common+0x5a/0x90 + [] ? autoremove_wake_function+0x0/0x40 + [] ? nilfs_segctor_thread+0x0/0x3a0 [nilfs2] + [] ? nilfs_segctor_thread+0x0/0x3a0 [nilfs2] + [] kthread+0x56/0x90 + [] child_rip+0xa/0x20 + [] ? kthread+0x0/0x90 + [] ? child_rip+0x0/0x20 + +This problem was caused due to a missing radix_tree_preload() call in +the retry path of nilfs_btnode_prepare_change_key() function. + +Reported-by: Eric A +Reported-by: Jerome Poulin +Signed-off-by: Ryusuke Konishi +Tested-by: Jerome Poulin +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/btnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -206,6 +206,7 @@ int nilfs_btnode_prepare_change_key(stru + * We cannot call radix_tree_preload for the kernels older + * than 2.6.23, because it is not exported for modules. + */ ++retry: + err = radix_tree_preload(GFP_NOFS & ~__GFP_HIGHMEM); + if (err) + goto failed_unlock; +@@ -216,7 +217,6 @@ int nilfs_btnode_prepare_change_key(stru + (unsigned long long)oldkey, + (unsigned long long)newkey); + +-retry: + spin_lock_irq(&btnc->tree_lock); + err = radix_tree_insert(&btnc->page_tree, newkey, obh->b_page); + spin_unlock_irq(&btnc->tree_lock); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002411.157180912@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:00 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Chris Wright , + Ivan Kokshaysky , + Matthew Wilcox , + Yu Zhao , + Jesse Barnes +Subject: [patch 14/22] PCI SR-IOV: correct broken resource alignment calculations +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=pci-sr-iov-correct-broken-resource-alignment-calculations.patch +Content-Length: 5432 +Lines: 155 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Chris Wright + +commit 6faf17f6f1ffc586d16efc2f9fa2083a7785ee74 upstream. + +An SR-IOV capable device includes an SR-IOV PCIe capability which +describes the Virtual Function (VF) BAR requirements. A typical SR-IOV +device can support multiple VFs whose BARs must be in a contiguous region, +effectively an array of VF BARs. The BAR reports the size requirement +for a single VF. We calculate the full range needed by simply multiplying +the VF BAR size with the number of possible VFs and create a resource +spanning the full range. + +This all seems sane enough except it artificially inflates the alignment +requirement for the VF BAR. The VF BAR need only be aligned to the size +of a single BAR not the contiguous range of VF BARs. This can cause us +to fail to allocate resources for the BAR despite the fact that we +actually have enough space. + +This patch adds a thin PCI specific layer over the generic +resource_alignment() function which is aware of the special nature of +VF BARs and does sorting and allocation based on the smaller alignment +requirement. + +I recognize that while resource_alignment is generic, it's basically a +PCI helper. An alternative to this patch is to add PCI VF BAR specific +information to struct resource. I opted for the extra layer rather than +adding such PCI specific information to struct resource. This does +have the slight downside that we don't cache the BAR size and re-read +for each alignment query (happens a small handful of times during boot +for each VF BAR). + +Signed-off-by: Chris Wright +Cc: Ivan Kokshaysky +Cc: Linus Torvalds +Cc: Matthew Wilcox +Cc: Yu Zhao +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/iov.c | 23 +++++++++++++++++++++++ + drivers/pci/pci.h | 13 +++++++++++++ + drivers/pci/setup-bus.c | 4 ++-- + drivers/pci/setup-res.c | 6 +++--- + 4 files changed, 41 insertions(+), 5 deletions(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -595,6 +595,29 @@ int pci_iov_resource_bar(struct pci_dev + } + + /** ++ * pci_sriov_resource_alignment - get resource alignment for VF BAR ++ * @dev: the PCI device ++ * @resno: the resource number ++ * ++ * Returns the alignment of the VF BAR found in the SR-IOV capability. ++ * This is not the same as the resource size which is defined as ++ * the VF BAR size multiplied by the number of VFs. The alignment ++ * is just the VF BAR size. ++ */ ++int pci_sriov_resource_alignment(struct pci_dev *dev, int resno) ++{ ++ struct resource tmp; ++ enum pci_bar_type type; ++ int reg = pci_iov_resource_bar(dev, resno, &type); ++ ++ if (!reg) ++ return 0; ++ ++ __pci_read_base(dev, type, &tmp, reg); ++ return resource_alignment(&tmp); ++} ++ ++/** + * pci_restore_iov_state - restore the state of the IOV capability + * @dev: the PCI device + */ +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -234,6 +234,7 @@ extern int pci_iov_init(struct pci_dev * + extern void pci_iov_release(struct pci_dev *dev); + extern int pci_iov_resource_bar(struct pci_dev *dev, int resno, + enum pci_bar_type *type); ++extern int pci_sriov_resource_alignment(struct pci_dev *dev, int resno); + extern void pci_restore_iov_state(struct pci_dev *dev); + extern int pci_iov_bus_range(struct pci_bus *bus); + #else +@@ -259,4 +260,16 @@ static inline int pci_iov_bus_range(stru + } + #endif /* CONFIG_PCI_IOV */ + ++static inline int pci_resource_alignment(struct pci_dev *dev, ++ struct resource *res) ++{ ++#ifdef CONFIG_PCI_IOV ++ int resno = res - dev->resource; ++ ++ if (resno >= PCI_IOV_RESOURCES && resno <= PCI_IOV_RESOURCE_END) ++ return pci_sriov_resource_alignment(dev, resno); ++#endif ++ return resource_alignment(res); ++} ++ + #endif /* DRIVERS_PCI_H */ +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -25,7 +25,7 @@ + #include + #include + #include +- ++#include "pci.h" + + static void pbus_assign_resources_sorted(const struct pci_bus *bus) + { +@@ -355,7 +355,7 @@ static int pbus_size_mem(struct pci_bus + continue; + r_size = resource_size(r); + /* For bridges size != alignment */ +- align = resource_alignment(r); ++ align = pci_resource_alignment(dev, r); + order = __ffs(align) - 20; + if (order > 11) { + dev_warn(&dev->dev, "BAR %d bad alignment %llx: " +--- a/drivers/pci/setup-res.c ++++ b/drivers/pci/setup-res.c +@@ -145,7 +145,7 @@ int pci_assign_resource(struct pci_dev * + size = resource_size(res); + min = (res->flags & IORESOURCE_IO) ? PCIBIOS_MIN_IO : PCIBIOS_MIN_MEM; + +- align = resource_alignment(res); ++ align = pci_resource_alignment(dev, res); + if (!align) { + dev_info(&dev->dev, "BAR %d: can't allocate resource (bogus " + "alignment) %pR flags %#lx\n", +@@ -236,7 +236,7 @@ void pdev_sort_resources(struct pci_dev + if (!(r->flags) || r->parent) + continue; + +- r_align = resource_alignment(r); ++ r_align = pci_resource_alignment(dev, r); + if (!r_align) { + dev_warn(&dev->dev, "BAR %d: bogus alignment " + "%pR flags %#lx\n", +@@ -248,7 +248,7 @@ void pdev_sort_resources(struct pci_dev + struct resource_list *ln = list->next; + + if (ln) +- align = resource_alignment(ln->res); ++ align = pci_resource_alignment(ln->dev, ln->res); + + if (r_align > align) { + tmp = kmalloc(sizeof(*tmp), GFP_KERNEL); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002411.326362527@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:01 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + James Bottomley +Subject: [patch 15/22] SCSI: sd: fix bug in SCSI async probing +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=scsi-sd-fix-bug-in-scsi-async-probing.patch +Content-Length: 2696 +Lines: 94 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: James Bottomley + +commit 601e7638254c118fca135af9b1a9f35061420f62 upstream. + +The async split up of probing in sd.c created a potential failure case where +something goes wrong with device_add(), but which we don't recover properly. +Since, in general, asynchronous error handling is hard, move the device_add() +into the asynchronous path (it should be fast) and make sure all the deferred +processing cannot fail. + +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 45 +++++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 24 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1902,24 +1902,6 @@ static void sd_probe_async(void *data, a + index = sdkp->index; + dev = &sdp->sdev_gendev; + +- if (!sdp->request_queue->rq_timeout) { +- if (sdp->type != TYPE_MOD) +- blk_queue_rq_timeout(sdp->request_queue, SD_TIMEOUT); +- else +- blk_queue_rq_timeout(sdp->request_queue, +- SD_MOD_TIMEOUT); +- } +- +- device_initialize(&sdkp->dev); +- sdkp->dev.parent = &sdp->sdev_gendev; +- sdkp->dev.class = &sd_disk_class; +- dev_set_name(&sdkp->dev, dev_name(&sdp->sdev_gendev)); +- +- if (device_add(&sdkp->dev)) +- goto out_free_index; +- +- get_device(&sdp->sdev_gendev); +- + if (index < SD_MAX_DISKS) { + gd->major = sd_major((index & 0xf0) >> 4); + gd->first_minor = ((index & 0xf) << 4) | (index & 0xfff00); +@@ -1954,11 +1936,6 @@ static void sd_probe_async(void *data, a + + sd_printk(KERN_NOTICE, sdkp, "Attached SCSI %sdisk\n", + sdp->removable ? "removable " : ""); +- +- return; +- +- out_free_index: +- ida_remove(&sd_index_ida, index); + } + + /** +@@ -2026,6 +2003,24 @@ static int sd_probe(struct device *dev) + sdkp->openers = 0; + sdkp->previous_state = 1; + ++ if (!sdp->request_queue->rq_timeout) { ++ if (sdp->type != TYPE_MOD) ++ blk_queue_rq_timeout(sdp->request_queue, SD_TIMEOUT); ++ else ++ blk_queue_rq_timeout(sdp->request_queue, ++ SD_MOD_TIMEOUT); ++ } ++ ++ device_initialize(&sdkp->dev); ++ sdkp->dev.parent = &sdp->sdev_gendev; ++ sdkp->dev.class = &sd_disk_class; ++ dev_set_name(&sdkp->dev, dev_name(&sdp->sdev_gendev)); ++ ++ if (device_add(&sdkp->dev)) ++ goto out_free_index; ++ ++ get_device(&sdp->sdev_gendev); ++ + async_schedule(sd_probe_async, sdkp); + + return 0; +@@ -2055,8 +2050,10 @@ static int sd_probe(struct device *dev) + **/ + static int sd_remove(struct device *dev) + { +- struct scsi_disk *sdkp = dev_get_drvdata(dev); ++ struct scsi_disk *sdkp; + ++ async_synchronize_full(); ++ sdkp = dev_get_drvdata(dev); + device_del(&sdkp->dev); + del_gendisk(sdkp->disk); + sd_shutdown(dev); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002411.498265593@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:02 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Clemens Ladisch , + Takashi Iwai +Subject: [patch 16/22] sound: oxygen: handle cards with missing EEPROM +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sound-oxygen-handle-cards-with-missing-eeprom.patch +Content-Length: 1145 +Lines: 31 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Clemens Ladisch + +commit 92653453c3015c083b9fe0ad48261c6b2267d482 upstream. + +The card model detection code introduced in 2.6.30 that tries to work +around partially broken EEPROM contents by reading the EEPROM directly +does not handle cards where the EEPROM has been omitted. In this case, +we have to use the default ID to allow the driver to load. + +Signed-off-by: Clemens Ladisch +Reported-and-tested-by: Ozan Çağlayan +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/oxygen/oxygen_lib.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/oxygen/oxygen_lib.c ++++ b/sound/pci/oxygen/oxygen_lib.c +@@ -260,6 +260,9 @@ oxygen_search_pci_id(struct oxygen *chip + * chip didn't if the first EEPROM word was overwritten. + */ + subdevice = oxygen_read_eeprom(chip, 2); ++ /* use default ID if EEPROM is missing */ ++ if (subdevice == 0xffff) ++ subdevice = 0x8788; + /* + * We use only the subsystem device ID for searching because it is + * unique even without the subsystem vendor ID, which may have been + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002411.613796207@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:03 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Clemens Ladisch , + Takashi Iwai +Subject: [patch 17/22] sound: oxygen: fix MCLK rate for 192 kHz playback +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=sound-oxygen-fix-mclk-rate-for-192-khz-playback.patch +Content-Length: 1042 +Lines: 31 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Clemens Ladisch + +commit b91ab72b830e1494c2c7f8de05ccb2ab2c9cfb26 upstream. + +Do not forget to program the MCLK ratio for the I2S output. +Otherwise, the master clock frequency can be too high for +the DACs at sample frequencies above 96 kHz. + +Signed-off-by: Clemens Ladisch +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/oxygen/oxygen_pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/oxygen/oxygen_pcm.c ++++ b/sound/pci/oxygen/oxygen_pcm.c +@@ -469,9 +469,11 @@ static int oxygen_multich_hw_params(stru + oxygen_write16_masked(chip, OXYGEN_I2S_MULTICH_FORMAT, + oxygen_rate(hw_params) | + chip->model.dac_i2s_format | ++ oxygen_i2s_mclk(hw_params) | + oxygen_i2s_bits(hw_params), + OXYGEN_I2S_RATE_MASK | + OXYGEN_I2S_FORMAT_MASK | ++ OXYGEN_I2S_MCLK_MASK | + OXYGEN_I2S_BITS_MASK); + oxygen_update_dac_routing(chip); + oxygen_update_spdif_source(chip); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:11 2009 +Message-Id: <20090911002411.791389158@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:04 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jonathan Brassow , + Alasdair G Kergon +Subject: [patch 18/22] dm raid1: do not allow log_failure variable to unset after being set +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dm-raid1-do-not-allow-log_failure-variable-to-unset-after-being-set.patch +Content-Length: 2236 +Lines: 57 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Jonathan Brassow + +commit d2b698644c97cb033261536a4f2010924a00eac9 upstream. + +This patch fixes a bug which was triggering a case where the primary leg +could not be changed on failure even when the mirror was in-sync. + +The case involves the failure of the primary device along with +the transient failure of the log device. The problem is that +bios can be put on the 'failures' list (due to log failure) +before 'fail_mirror' is called due to the primary device failure. +Normally, this is fine, but if the log device failure is transient, +a subsequent iteration of the work thread, 'do_mirror', will +reset 'log_failure'. The 'do_failures' function then resets +the 'in_sync' variable when processing bios on the failures list. +The 'in_sync' variable is what is used to determine if the +primary device can be switched in the event of a failure. Since +this has been reset, the primary device is incorrectly assumed +to be not switchable. + +The case has been seen in the cluster mirror context, where one +machine realizes the log device is dead before the other machines. +As the responsibilities of the server migrate from one node to +another (because the mirror is being reconfigured due to the failure), +the new server may think for a moment that the log device is fine - +thus resetting the 'log_failure' variable. + +In any case, it is inappropiate for us to reset the 'log_failure' +variable. The above bug simply illustrates that it can actually +hurt us. + +Signed-off-by: Jonathan Brassow +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-raid1.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -648,7 +648,13 @@ static void do_writes(struct mirror_set + */ + dm_rh_inc_pending(ms->rh, &sync); + dm_rh_inc_pending(ms->rh, &nosync); +- ms->log_failure = dm_rh_flush(ms->rh) ? 1 : 0; ++ ++ /* ++ * If the flush fails on a previous call and succeeds here, ++ * we must not reset the log_failure variable. We need ++ * userspace interaction to do that. ++ */ ++ ms->log_failure = dm_rh_flush(ms->rh) ? 1 : ms->log_failure; + + /* + * Dispatch io. + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:12 2009 +Message-Id: <20090911002411.963437354@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:05 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mikulas Patocka , + Alasdair G Kergon +Subject: [patch 19/22] dm snapshot: refactor zero_disk_area to use chunk_io +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dm-snapshot-refactor-zero_disk_area-to-use-chunk_io.patch +Content-Length: 2547 +Lines: 88 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Mikulas Patocka + +commit 02d2fd31defce6ff77146ad0fef4f19006055d86 upstream. + +Refactor chunk_io to prepare for the fix in the following patch. + +Pass an area pointer to chunk_io and simplify zero_disk_area to use +chunk_io. No functional change. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-snap-persistent.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -188,7 +188,8 @@ static void do_metadata(struct work_stru + /* + * Read or write a chunk aligned and sized block of data from a device. + */ +-static int chunk_io(struct pstore *ps, chunk_t chunk, int rw, int metadata) ++static int chunk_io(struct pstore *ps, void *area, chunk_t chunk, int rw, ++ int metadata) + { + struct dm_io_region where = { + .bdev = ps->store->cow->bdev, +@@ -198,7 +199,7 @@ static int chunk_io(struct pstore *ps, c + struct dm_io_request io_req = { + .bi_rw = rw, + .mem.type = DM_IO_VMA, +- .mem.ptr.vma = ps->area, ++ .mem.ptr.vma = area, + .client = ps->io_client, + .notify.fn = NULL, + }; +@@ -240,7 +241,7 @@ static int area_io(struct pstore *ps, in + + chunk = area_location(ps, ps->current_area); + +- r = chunk_io(ps, chunk, rw, 0); ++ r = chunk_io(ps, ps->area, chunk, rw, 0); + if (r) + return r; + +@@ -254,20 +255,7 @@ static void zero_memory_area(struct psto + + static int zero_disk_area(struct pstore *ps, chunk_t area) + { +- struct dm_io_region where = { +- .bdev = ps->store->cow->bdev, +- .sector = ps->store->chunk_size * area_location(ps, area), +- .count = ps->store->chunk_size, +- }; +- struct dm_io_request io_req = { +- .bi_rw = WRITE, +- .mem.type = DM_IO_VMA, +- .mem.ptr.vma = ps->zero_area, +- .client = ps->io_client, +- .notify.fn = NULL, +- }; +- +- return dm_io(&io_req, 1, &where, NULL); ++ return chunk_io(ps, ps->zero_area, area_location(ps, area), WRITE, 0); + } + + static int read_header(struct pstore *ps, int *new_snapshot) +@@ -297,7 +285,7 @@ static int read_header(struct pstore *ps + if (r) + return r; + +- r = chunk_io(ps, 0, READ, 1); ++ r = chunk_io(ps, ps->area, 0, READ, 1); + if (r) + goto bad; + +@@ -359,7 +347,7 @@ static int write_header(struct pstore *p + dh->version = cpu_to_le32(ps->version); + dh->chunk_size = cpu_to_le32(ps->store->chunk_size); + +- return chunk_io(ps, 0, WRITE, 1); ++ return chunk_io(ps, ps->area, 0, WRITE, 1); + } + + /* + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:12 2009 +Message-Id: <20090911002412.104202809@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:06 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mikulas Patocka , + Alasdair G Kergon +Subject: [patch 20/22] dm snapshot: fix header corruption race on invalidation +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dm-snapshot-fix-header-corruption-race-on-invalidation.patch +Content-Length: 3890 +Lines: 139 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Mikulas Patocka + +commit 61578dcd3fafe6babd72e8db32110cc0b630a432 upstream. + +If a persistent snapshot fills up, a race can corrupt the on-disk header +which causes a crash on any future attempt to activate the snapshot +(typically while booting). This patch fixes the race. + +When the snapshot overflows, __invalidate_snapshot is called, which calls +snapshot store method drop_snapshot. It goes to persistent_drop_snapshot that +calls write_header. write_header constructs the new header in the "area" +location. + +Concurrently, an existing kcopyd job may finish, call copy_callback +and commit_exception method, that goes to persistent_commit_exception. +persistent_commit_exception doesn't do locking, relying on the fact that +callbacks are single-threaded, but it can race with snapshot invalidation and +overwrite the header that is just being written while the snapshot is being +invalidated. + +The result of this race is a corrupted header being written that can +lead to a crash on further reactivation (if chunk_size is zero in the +corrupted header). + +The fix is to use separate memory areas for each. + +See the bug: https://bugzilla.redhat.com/show_bug.cgi?id=461506 + +Signed-off-by: Mikulas Patocka +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-snap-persistent.c | 44 ++++++++++++++++++++++++++++++---------- + 1 file changed, 34 insertions(+), 10 deletions(-) + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -106,6 +106,13 @@ struct pstore { + void *zero_area; + + /* ++ * An area used for header. The header can be written ++ * concurrently with metadata (when invalidating the snapshot), ++ * so it needs a separate buffer. ++ */ ++ void *header_area; ++ ++ /* + * Used to keep track of which metadata area the data in + * 'chunk' refers to. + */ +@@ -148,16 +155,27 @@ static int alloc_area(struct pstore *ps) + */ + ps->area = vmalloc(len); + if (!ps->area) +- return r; ++ goto err_area; + + ps->zero_area = vmalloc(len); +- if (!ps->zero_area) { +- vfree(ps->area); +- return r; +- } ++ if (!ps->zero_area) ++ goto err_zero_area; + memset(ps->zero_area, 0, len); + ++ ps->header_area = vmalloc(len); ++ if (!ps->header_area) ++ goto err_header_area; ++ + return 0; ++ ++err_header_area: ++ vfree(ps->zero_area); ++ ++err_zero_area: ++ vfree(ps->area); ++ ++err_area: ++ return r; + } + + static void free_area(struct pstore *ps) +@@ -169,6 +187,10 @@ static void free_area(struct pstore *ps) + if (ps->zero_area) + vfree(ps->zero_area); + ps->zero_area = NULL; ++ ++ if (ps->header_area) ++ vfree(ps->header_area); ++ ps->header_area = NULL; + } + + struct mdata_req { +@@ -285,11 +307,11 @@ static int read_header(struct pstore *ps + if (r) + return r; + +- r = chunk_io(ps, ps->area, 0, READ, 1); ++ r = chunk_io(ps, ps->header_area, 0, READ, 1); + if (r) + goto bad; + +- dh = (struct disk_header *) ps->area; ++ dh = ps->header_area; + + if (le32_to_cpu(dh->magic) == 0) { + *new_snapshot = 1; +@@ -339,15 +361,15 @@ static int write_header(struct pstore *p + { + struct disk_header *dh; + +- memset(ps->area, 0, ps->store->chunk_size << SECTOR_SHIFT); ++ memset(ps->header_area, 0, ps->store->chunk_size << SECTOR_SHIFT); + +- dh = (struct disk_header *) ps->area; ++ dh = ps->header_area; + dh->magic = cpu_to_le32(SNAP_MAGIC); + dh->valid = cpu_to_le32(ps->valid); + dh->version = cpu_to_le32(ps->version); + dh->chunk_size = cpu_to_le32(ps->store->chunk_size); + +- return chunk_io(ps, ps->area, 0, WRITE, 1); ++ return chunk_io(ps, ps->header_area, 0, WRITE, 1); + } + + /* +@@ -667,6 +689,8 @@ static int persistent_ctr(struct dm_exce + ps->valid = 1; + ps->version = SNAPSHOT_DISK_VERSION; + ps->area = NULL; ++ ps->zero_area = NULL; ++ ps->header_area = NULL; + ps->next_free = 2; /* skipping the header and first area */ + ps->current_committed = 0; + + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:12 2009 +Message-Id: <20090911002412.247250943@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:07 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mikulas Patocka , + Alasdair G Kergon +Subject: [patch 21/22] dm exception store: split set_chunk_size +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dm-exception-store-split-set_chunk_size.patch +Content-Length: 1663 +Lines: 47 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Mikulas Patocka + +commit 2defcc3fb4661e7351cb2ac48d843efc4c64db13 upstream. + +Break the function set_chunk_size to two functions in preparation for +the fix in the following patch. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-exception-store.c | 8 ++++++++ + drivers/md/dm-exception-store.h | 4 ++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/md/dm-exception-store.c ++++ b/drivers/md/dm-exception-store.c +@@ -171,6 +171,14 @@ static int set_chunk_size(struct dm_exce + */ + chunk_size_ulong = round_up(chunk_size_ulong, PAGE_SIZE >> 9); + ++ return dm_exception_store_set_chunk_size(store, chunk_size_ulong, ++ error); ++} ++ ++int dm_exception_store_set_chunk_size(struct dm_exception_store *store, ++ unsigned long chunk_size_ulong, ++ char **error) ++{ + /* Check chunk_size is a power of 2 */ + if (!is_power_of_2(chunk_size_ulong)) { + *error = "Chunk size is not a power of 2"; +--- a/drivers/md/dm-exception-store.h ++++ b/drivers/md/dm-exception-store.h +@@ -168,6 +168,10 @@ static inline chunk_t sector_to_chunk(st + int dm_exception_store_type_register(struct dm_exception_store_type *type); + int dm_exception_store_type_unregister(struct dm_exception_store_type *type); + ++int dm_exception_store_set_chunk_size(struct dm_exception_store *store, ++ unsigned long chunk_size_ulong, ++ char **error); ++ + int dm_exception_store_create(struct dm_target *ti, int argc, char **argv, + unsigned *args_used, + struct dm_exception_store **store); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:12 2009 +Message-Id: <20090911002412.397568158@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:23:08 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Mikulas Patocka , + Alasdair G Kergon +Subject: [patch 22/22] dm snapshot: fix on disk chunk size validation +References: <20090911002246.666327880@mini.kroah.org> +Content-Disposition: inline; filename=dm-snapshot-fix-on-disk-chunk-size-validation.patch +Content-Length: 3106 +Lines: 89 + +2.6.30-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Mikulas Patocka + +commit ae0b7448e91353ea5f821601a055aca6b58042cd upstream. + +Fix some problems seen in the chunk size processing when activating a +pre-existing snapshot. + +For a new snapshot, the chunk size can either be supplied by the creator +or a default value can be used. For an existing snapshot, the +chunk size in the snapshot header on disk should always be used. + +If someone attempts to load an existing snapshot and has the 'default +chunk size' option set, the kernel uses its default value even when it +is incorrect for the snapshot being loaded. This patch ensures the +correct on-disk value is always used. + +Secondly, when the code does use the chunk size stored on the disk it is +prudent to revalidate it, so the code can exit cleanly if it got +corrupted as happened in +https://bugzilla.redhat.com/show_bug.cgi?id=461506 . + +Signed-off-by: Mikulas Patocka +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-exception-store.c | 5 +++++ + drivers/md/dm-snap-persistent.c | 22 ++++++++++++++-------- + 2 files changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-exception-store.c ++++ b/drivers/md/dm-exception-store.c +@@ -191,6 +191,11 @@ int dm_exception_store_set_chunk_size(st + return -EINVAL; + } + ++ if (chunk_size_ulong > INT_MAX >> SECTOR_SHIFT) { ++ *error = "Chunk size is too high"; ++ return -EINVAL; ++ } ++ + store->chunk_size = chunk_size_ulong; + store->chunk_mask = chunk_size_ulong - 1; + store->chunk_shift = ffs(chunk_size_ulong) - 1; +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -286,6 +286,7 @@ static int read_header(struct pstore *ps + struct disk_header *dh; + chunk_t chunk_size; + int chunk_size_supplied = 1; ++ char *chunk_err; + + /* + * Use default chunk size (or hardsect_size, if larger) if none supplied +@@ -329,20 +330,25 @@ static int read_header(struct pstore *ps + ps->version = le32_to_cpu(dh->version); + chunk_size = le32_to_cpu(dh->chunk_size); + +- if (!chunk_size_supplied || ps->store->chunk_size == chunk_size) ++ if (ps->store->chunk_size == chunk_size) + return 0; + +- DMWARN("chunk size %llu in device metadata overrides " +- "table chunk size of %llu.", +- (unsigned long long)chunk_size, +- (unsigned long long)ps->store->chunk_size); ++ if (chunk_size_supplied) ++ DMWARN("chunk size %llu in device metadata overrides " ++ "table chunk size of %llu.", ++ (unsigned long long)chunk_size, ++ (unsigned long long)ps->store->chunk_size); + + /* We had a bogus chunk_size. Fix stuff up. */ + free_area(ps); + +- ps->store->chunk_size = chunk_size; +- ps->store->chunk_mask = chunk_size - 1; +- ps->store->chunk_shift = ffs(chunk_size) - 1; ++ r = dm_exception_store_set_chunk_size(ps->store, chunk_size, ++ &chunk_err); ++ if (r) { ++ DMERR("invalid on-disk chunk size %llu: %s.", ++ (unsigned long long)chunk_size, chunk_err); ++ return r; ++ } + + r = dm_io_client_resize(sectors_to_pages(ps->store->chunk_size), + ps->io_client); + + +From gregkh@mini.kroah.org Thu Sep 10 17:24:09 2009 +Message-Id: <20090911002246.666327880@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Thu, 10 Sep 2009 17:22:46 -0700 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [patch 00/22] 2.6.30.7-stable review +Content-Length: 2473 +Lines: 56 + +This is the start of the stable review cycle for the 2.6.30.7 release. +There are 22 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +These patches are sent out with a number of different people on the Cc: +line. If you wish to be a reviewer, please email stable@kernel.org to +add your name to the list. If you want to be off the reviewer list, +also email us. + +Responses should be made by Sunday, September 12, 2009 00:00:00 UTC. +Anything received after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.30.7-rc1.gz +and the diffstat can be found below. + + +thanks, + +greg k-h + +----------- + + Makefile | 2 +- + arch/sparc/include/asm/pgtable_64.h | 12 ++++- + arch/sparc/kernel/irq_64.c | 2 +- + arch/sparc/kernel/ktlb.S | 42 +++++++++++++++-- + arch/sparc/kernel/nmi.c | 2 +- + arch/sparc/kernel/sys32.S | 2 +- + arch/sparc/mm/init_64.c | 43 +++++++++-------- + arch/sparc/mm/init_64.h | 7 ++- + arch/sparc/prom/misc_64.c | 2 +- + arch/sparc/prom/printf.c | 7 +-- + drivers/md/dm-exception-store.c | 13 +++++ + drivers/md/dm-exception-store.h | 4 ++ + drivers/md/dm-raid1.c | 8 +++- + drivers/md/dm-snap-persistent.c | 88 +++++++++++++++++++++-------------- + drivers/net/e100.c | 2 +- + drivers/net/ppp_generic.c | 34 +++++++------ + drivers/net/pppol2tp.c | 1 + + drivers/pci/iov.c | 23 +++++++++ + drivers/pci/pci.h | 13 +++++ + drivers/pci/setup-bus.c | 4 +- + drivers/pci/setup-res.c | 6 +- + drivers/scsi/sd.c | 45 ++++++++--------- + fs/jffs2/wbuf.c | 10 ++++ + fs/nilfs2/btnode.c | 2 +- + mm/slub.c | 4 +- + net/core/net_namespace.c | 2 +- + net/dccp/proto.c | 1 + + net/ipv4/ip_gre.c | 2 +- + sound/pci/oxygen/oxygen_lib.c | 3 + + sound/pci/oxygen/oxygen_pcm.c | 2 + + 30 files changed, 264 insertions(+), 124 deletions(-) + diff --git a/queue-2.6.30/net-net_assign_generic-fix.patch b/review-2.6.30/net-net_assign_generic-fix.patch similarity index 100% rename from queue-2.6.30/net-net_assign_generic-fix.patch rename to review-2.6.30/net-net_assign_generic-fix.patch diff --git a/queue-2.6.30/nilfs2-fix-preempt-count-underflow-in-nilfs_btnode_prepare_change_key.patch b/review-2.6.30/nilfs2-fix-preempt-count-underflow-in-nilfs_btnode_prepare_change_key.patch similarity index 100% rename from queue-2.6.30/nilfs2-fix-preempt-count-underflow-in-nilfs_btnode_prepare_change_key.patch rename to review-2.6.30/nilfs2-fix-preempt-count-underflow-in-nilfs_btnode_prepare_change_key.patch diff --git a/queue-2.6.30/pci-sr-iov-correct-broken-resource-alignment-calculations.patch b/review-2.6.30/pci-sr-iov-correct-broken-resource-alignment-calculations.patch similarity index 100% rename from queue-2.6.30/pci-sr-iov-correct-broken-resource-alignment-calculations.patch rename to review-2.6.30/pci-sr-iov-correct-broken-resource-alignment-calculations.patch diff --git a/queue-2.6.30/ppp-fix-lost-fragments-in-ppp_mp_explode.patch b/review-2.6.30/ppp-fix-lost-fragments-in-ppp_mp_explode.patch similarity index 100% rename from queue-2.6.30/ppp-fix-lost-fragments-in-ppp_mp_explode.patch rename to review-2.6.30/ppp-fix-lost-fragments-in-ppp_mp_explode.patch diff --git a/queue-2.6.30/pppol2tp-calls-unregister_pernet_gen_device-at-unload-time.patch b/review-2.6.30/pppol2tp-calls-unregister_pernet_gen_device-at-unload-time.patch similarity index 100% rename from queue-2.6.30/pppol2tp-calls-unregister_pernet_gen_device-at-unload-time.patch rename to review-2.6.30/pppol2tp-calls-unregister_pernet_gen_device-at-unload-time.patch diff --git a/queue-2.6.30/scsi-sd-fix-bug-in-scsi-async-probing.patch b/review-2.6.30/scsi-sd-fix-bug-in-scsi-async-probing.patch similarity index 100% rename from queue-2.6.30/scsi-sd-fix-bug-in-scsi-async-probing.patch rename to review-2.6.30/scsi-sd-fix-bug-in-scsi-async-probing.patch diff --git a/queue-2.6.30/series b/review-2.6.30/series similarity index 100% rename from queue-2.6.30/series rename to review-2.6.30/series diff --git a/queue-2.6.30/slub-fix-kmem_cache_destroy-with-slab_destroy_by_rcu.patch b/review-2.6.30/slub-fix-kmem_cache_destroy-with-slab_destroy_by_rcu.patch similarity index 100% rename from queue-2.6.30/slub-fix-kmem_cache_destroy-with-slab_destroy_by_rcu.patch rename to review-2.6.30/slub-fix-kmem_cache_destroy-with-slab_destroy_by_rcu.patch diff --git a/queue-2.6.30/sound-oxygen-fix-mclk-rate-for-192-khz-playback.patch b/review-2.6.30/sound-oxygen-fix-mclk-rate-for-192-khz-playback.patch similarity index 100% rename from queue-2.6.30/sound-oxygen-fix-mclk-rate-for-192-khz-playback.patch rename to review-2.6.30/sound-oxygen-fix-mclk-rate-for-192-khz-playback.patch diff --git a/queue-2.6.30/sound-oxygen-handle-cards-with-missing-eeprom.patch b/review-2.6.30/sound-oxygen-handle-cards-with-missing-eeprom.patch similarity index 100% rename from queue-2.6.30/sound-oxygen-handle-cards-with-missing-eeprom.patch rename to review-2.6.30/sound-oxygen-handle-cards-with-missing-eeprom.patch diff --git a/queue-2.6.30/sparc-sys32.s-incorrect-compat-layer-splice-system-call.patch b/review-2.6.30/sparc-sys32.s-incorrect-compat-layer-splice-system-call.patch similarity index 100% rename from queue-2.6.30/sparc-sys32.s-incorrect-compat-layer-splice-system-call.patch rename to review-2.6.30/sparc-sys32.s-incorrect-compat-layer-splice-system-call.patch diff --git a/queue-2.6.30/sparc64-fix-bootup-with-mcount-in-some-configs.patch b/review-2.6.30/sparc64-fix-bootup-with-mcount-in-some-configs.patch similarity index 100% rename from queue-2.6.30/sparc64-fix-bootup-with-mcount-in-some-configs.patch rename to review-2.6.30/sparc64-fix-bootup-with-mcount-in-some-configs.patch diff --git a/queue-2.6.30/sparc64-kill-spurious-nmi-watchdog-triggers-by-increasing-limit-to-30-seconds.patch b/review-2.6.30/sparc64-kill-spurious-nmi-watchdog-triggers-by-increasing-limit-to-30-seconds.patch similarity index 100% rename from queue-2.6.30/sparc64-kill-spurious-nmi-watchdog-triggers-by-increasing-limit-to-30-seconds.patch rename to review-2.6.30/sparc64-kill-spurious-nmi-watchdog-triggers-by-increasing-limit-to-30-seconds.patch diff --git a/queue-2.6.30/sparc64-validate-linear-d-tlb-misses.patch b/review-2.6.30/sparc64-validate-linear-d-tlb-misses.patch similarity index 100% rename from queue-2.6.30/sparc64-validate-linear-d-tlb-misses.patch rename to review-2.6.30/sparc64-validate-linear-d-tlb-misses.patch