From: Greg Kroah-Hartman Date: Wed, 7 Mar 2007 14:50:36 +0000 (-0800) Subject: more 2.6.20 patches added X-Git-Tag: v2.6.20.2~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db3ec07560447b1bfebf6fbc3d2820c7470e7011;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.20 patches added --- diff --git a/queue-2.6.20/buffer-memorder-fix.patch b/queue-2.6.20/buffer-memorder-fix.patch new file mode 100644 index 00000000000..6e5b8bb349c --- /dev/null +++ b/queue-2.6.20/buffer-memorder-fix.patch @@ -0,0 +1,67 @@ +From stable-bounces@linux.kernel.org Sat Feb 10 01:47:53 2007 +From: Nick Piggin +Date: Sat, 10 Feb 2007 01:46:22 -0800 +Subject: buffer: memorder fix +To: torvalds@linux-foundation.org +Cc: npiggin@suse.de, akpm@linux-foundation.org, cmm@us.ibm.com, stable@kernel.org +Message-ID: <200702100946.l1A9kM3s009363@shell0.pdx.osdl.net> + + +From: Nick Piggin + +unlock_buffer(), like unlock_page(), must not clear the lock without +ensuring that the critical section is closed. + + +Mingming later sent the same patch, saying: + +We are running SDET benchmark and saw double free issue for ext3 extended +attributes block, which complains the same xattr block already being freed (in +ext3_xattr_release_block()). The problem could also been triggered by +multiple threads loop untar/rm a kernel tree. + +The race is caused by missing a memory barrier at unlock_buffer() before the +lock bit being cleared, resulting in possible concurrent h_refcounter update. +That causes a reference counter leak, then later leads to the double free that +we have seen. + +Inside unlock_buffer(), there is a memory barrier is placed *after* the lock +bit is being cleared, however, there is no memory barrier *before* the bit is +cleared. On some arch the h_refcount update instruction and the clear bit +instruction could be reordered, thus leave the critical section re-entered. + +The race is like this: For example, if the h_refcount is initialized as 1, + +cpu 0: cpu1 +-------------------------------------- ----------------------------------- +lock_buffer() /* test_and_set_bit */ +clear_buffer_locked(bh); + lock_buffer() /* test_and_set_bit */ +h_refcount = h_refcount+1; /* = 2*/ h_refcount = h_refcount + 1; /*= 2 */ + clear_buffer_locked(bh); +.... ...... + + +We lost a h_refcount here. We need a memory barrier before the buffer head +lock bit being cleared to force the order of the two writes. Please apply. + + +Signed-off-by: Nick Piggin +Cc: Mingming Cao +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.20.1.orig/fs/buffer.c ++++ linux-2.6.20.1/fs/buffer.c +@@ -78,6 +78,7 @@ EXPORT_SYMBOL(__lock_buffer); + + void fastcall unlock_buffer(struct buffer_head *bh) + { ++ smp_mb__before_clear_bit(); + clear_buffer_locked(bh); + smp_mb__after_clear_bit(); + wake_up_bit(&bh->b_state, BH_Lock); diff --git a/queue-2.6.20/char-specialix-isr-have-2-params.patch b/queue-2.6.20/char-specialix-isr-have-2-params.patch new file mode 100644 index 00000000000..f1fd4c7f771 --- /dev/null +++ b/queue-2.6.20/char-specialix-isr-have-2-params.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Mon Feb 12 00:53:56 2007 +From: Jiri Slaby +Date: Mon, 12 Feb 2007 00:52:30 -0800 +Subject: Char: specialix, isr have 2 params +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, jirislaby@gmail.com, stable@kernel.org +Message-ID: <200702120852.l1C8qUKK026605@shell0.pdx.osdl.net> + + +From: Jiri Slaby + +specialix, isr have 2 params + +pt_regs are no longer the third parameter of isr, call sx_interrupt without +it. + +Signed-off-by: Jiri Slaby +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + + drivers/char/specialix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/drivers/char/specialix.c ++++ linux-2.6.20.1/drivers/char/specialix.c +@@ -459,7 +459,7 @@ void missed_irq (unsigned long data) + if (irq) { + printk (KERN_INFO "Missed interrupt... Calling int from timer. \n"); + sx_interrupt (((struct specialix_board *)data)->irq, +- (void*)data, NULL); ++ (void*)data); + } + missed_irq_timer.expires = jiffies + sx_poll; + add_timer (&missed_irq_timer); diff --git a/queue-2.6.20/enable-mouse-button-2-3-emulation-for-x86-macs.patch b/queue-2.6.20/enable-mouse-button-2-3-emulation-for-x86-macs.patch new file mode 100644 index 00000000000..68e0a23ea87 --- /dev/null +++ b/queue-2.6.20/enable-mouse-button-2-3-emulation-for-x86-macs.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Thu Feb 8 14:22:30 2007 +From: Soeren Sonnenburg +Date: Thu, 08 Feb 2007 14:20:38 -0800 +Subject: enable mouse button 2+3 emulation for x86 macs +To: torvalds@linux-foundation.org +Cc: kernel@nn7.de, benh@kernel.crashing.org, paulus@samba.org, dtor@mail.ru, akpm@linux-foundation.org, stable@kernel.org +Message-ID: <200702082220.l18MKd82028502@shell0.pdx.osdl.net> + + +From: Soeren Sonnenburg + +As macbook/macbook pro's also have to live with a single mouse button the +following patch just enables the Macintosh device drivers menu in Kconfig + +adds the macintosh dir to the obj-* to make macbook* users happy (who use +exactly that since months.... + +Signed-off-by: Soeren Sonnenburg +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Dmitry Torokhov +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/Makefile | 2 +- + drivers/macintosh/Kconfig | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- linux-2.6.20.1.orig/drivers/Makefile ++++ linux-2.6.20.1/drivers/Makefile +@@ -30,7 +30,7 @@ obj-$(CONFIG_PARPORT) += parport/ + obj-y += base/ block/ misc/ mfd/ net/ media/ + obj-$(CONFIG_NUBUS) += nubus/ + obj-$(CONFIG_ATM) += atm/ +-obj-$(CONFIG_PPC_PMAC) += macintosh/ ++obj-y += macintosh/ + obj-$(CONFIG_IDE) += ide/ + obj-$(CONFIG_FC4) += fc4/ + obj-$(CONFIG_SCSI) += scsi/ +--- linux-2.6.20.1.orig/drivers/macintosh/Kconfig ++++ linux-2.6.20.1/drivers/macintosh/Kconfig +@@ -1,6 +1,6 @@ + + menu "Macintosh device drivers" +- depends on PPC || MAC ++ depends on PPC || MAC || X86 + + config ADB + bool "Apple Desktop Bus (ADB) support" diff --git a/queue-2.6.20/fix-mtrr-compat-ioctl.patch b/queue-2.6.20/fix-mtrr-compat-ioctl.patch new file mode 100644 index 00000000000..8af5017de14 --- /dev/null +++ b/queue-2.6.20/fix-mtrr-compat-ioctl.patch @@ -0,0 +1,104 @@ +From stable-bounces@linux.kernel.org Mon Feb 5 17:05:37 2007 +From: Zwane Mwaikambo +Date: Mon, 05 Feb 2007 16:45:06 -0800 +Subject: Fix MTRR compat ioctl +To: ak@suse.de +Cc: akpm@linux-foundation.org, stable@kernel.org, zwane@infradead.org +Message-ID: <200702060046.l160k9n6005536@shell0.pdx.osdl.net> + + +From: Zwane Mwaikambo + +The MTRR compat code wasn't calling the lowlevel MTRR setup due to a switch +block not handling the compat case. + +Before: +(WW) I810(0): Failed to set up write-combining range (0xd0000000,0x10000000) + +After: +reg00: base=0x00000000 ( 0MB), size=1024MB: write-back, count=1 +reg01: base=0x40000000 (1024MB), size= 512MB: write-back, count=1 +reg02: base=0x5f700000 (1527MB), size= 1MB: uncachable, count=1 +reg03: base=0x5f800000 (1528MB), size= 8MB: uncachable, count=1 +reg04: base=0xd0000000 (3328MB), size= 256MB: write-combining, count=1 + +Signed-off-by: Zwane Mwaikambo +Cc: Andi Kleen +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/cpu/mtrr/if.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +--- linux-2.6.20.1.orig/arch/i386/kernel/cpu/mtrr/if.c ++++ linux-2.6.20.1/arch/i386/kernel/cpu/mtrr/if.c +@@ -158,8 +158,9 @@ mtrr_ioctl(struct file *file, unsigned i + struct mtrr_sentry sentry; + struct mtrr_gentry gentry; + void __user *arg = (void __user *) __arg; ++ unsigned int compat_cmd = cmd; + +- switch (cmd) { ++ switch (compat_cmd) { + case MTRRIOC_ADD_ENTRY: + case MTRRIOC_SET_ENTRY: + case MTRRIOC_DEL_ENTRY: +@@ -177,14 +178,20 @@ mtrr_ioctl(struct file *file, unsigned i + return -EFAULT; + break; + #ifdef CONFIG_COMPAT +- case MTRRIOC32_ADD_ENTRY: +- case MTRRIOC32_SET_ENTRY: +- case MTRRIOC32_DEL_ENTRY: +- case MTRRIOC32_KILL_ENTRY: +- case MTRRIOC32_ADD_PAGE_ENTRY: +- case MTRRIOC32_SET_PAGE_ENTRY: +- case MTRRIOC32_DEL_PAGE_ENTRY: +- case MTRRIOC32_KILL_PAGE_ENTRY: { ++#define MTRR_COMPAT_OP(op, type)\ ++ case MTRRIOC32_##op: \ ++ cmd = MTRRIOC_##op; \ ++ goto compat_get_##type ++ ++ MTRR_COMPAT_OP(ADD_ENTRY, sentry); ++ MTRR_COMPAT_OP(SET_ENTRY, sentry); ++ MTRR_COMPAT_OP(DEL_ENTRY, sentry); ++ MTRR_COMPAT_OP(KILL_ENTRY, sentry); ++ MTRR_COMPAT_OP(ADD_PAGE_ENTRY, sentry); ++ MTRR_COMPAT_OP(SET_PAGE_ENTRY, sentry); ++ MTRR_COMPAT_OP(DEL_PAGE_ENTRY, sentry); ++ MTRR_COMPAT_OP(KILL_PAGE_ENTRY, sentry); ++compat_get_sentry: { + struct mtrr_sentry32 __user *s32 = (struct mtrr_sentry32 __user *)__arg; + err = get_user(sentry.base, &s32->base); + err |= get_user(sentry.size, &s32->size); +@@ -193,8 +200,9 @@ mtrr_ioctl(struct file *file, unsigned i + return err; + break; + } +- case MTRRIOC32_GET_ENTRY: +- case MTRRIOC32_GET_PAGE_ENTRY: { ++ MTRR_COMPAT_OP(GET_ENTRY, gentry); ++ MTRR_COMPAT_OP(GET_PAGE_ENTRY, gentry); ++compat_get_gentry: { + struct mtrr_gentry32 __user *g32 = (struct mtrr_gentry32 __user *)__arg; + err = get_user(gentry.regnum, &g32->regnum); + err |= get_user(gentry.base, &g32->base); +@@ -204,6 +212,7 @@ mtrr_ioctl(struct file *file, unsigned i + return err; + break; + } ++#undef MTRR_COMPAT_OP + #endif + } + +@@ -287,7 +296,7 @@ mtrr_ioctl(struct file *file, unsigned i + if (err) + return err; + +- switch(cmd) { ++ switch(compat_cmd) { + case MTRRIOC_GET_ENTRY: + case MTRRIOC_GET_PAGE_ENTRY: + if (copy_to_user(arg, &gentry, sizeof gentry)) diff --git a/queue-2.6.20/hugetlb-preserve-hugetlb-pte-dirty-state.patch b/queue-2.6.20/hugetlb-preserve-hugetlb-pte-dirty-state.patch new file mode 100644 index 00000000000..adddbf65279 --- /dev/null +++ b/queue-2.6.20/hugetlb-preserve-hugetlb-pte-dirty-state.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Thu Feb 8 14:22:41 2007 +From: "Ken Chen" +Date: Thu, 08 Feb 2007 14:20:27 -0800 +Subject: hugetlb: preserve hugetlb pte dirty state +To: torvalds@linux-foundation.org +Cc: nish.aravamudan@gmail.com, wli@holomorphy.com, kenchen@google.com, agl@us.ibm.com, hugh@veritas.com, akpm@linux-foundation.org, stable@kernel.org, david@gibson.dropbear.id.au +Message-ID: <200702082220.l18MKRLR028479@shell0.pdx.osdl.net> + + +From: "Ken Chen" + +__unmap_hugepage_range() is buggy that it does not preserve dirty state of +huge_pte when unmapping hugepage range. It causes data corruption in the +event of dop_caches being used by sys admin. For example, an application +creates a hugetlb file, modify pages, then unmap it. While leaving the +hugetlb file alive, comes along sys admin doing a "echo 3 > +/proc/sys/vm/drop_caches". + +drop_pagecache_sb() will happily free all pages that aren't marked dirty if +there are no active mapping. Later when application remaps the hugetlb +file back and all data are gone, triggering catastrophic flip over on +application. + +Not only that, the internal resv_huge_pages count will also get all messed +up. Fix it up by marking page dirty appropriately. + +Signed-off-by: Ken Chen +Cc: "Nish Aravamudan" +Cc: Adam Litke +Cc: David Gibson +Cc: William Lee Irwin III +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hugetlbfs/inode.c | 5 ++++- + mm/hugetlb.c | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/fs/hugetlbfs/inode.c ++++ linux-2.6.20.1/fs/hugetlbfs/inode.c +@@ -449,10 +449,13 @@ static int hugetlbfs_symlink(struct inod + } + + /* +- * For direct-IO reads into hugetlb pages ++ * mark the head page dirty + */ + static int hugetlbfs_set_page_dirty(struct page *page) + { ++ struct page *head = (struct page *)page_private(page); ++ ++ SetPageDirty(head); + return 0; + } + +--- linux-2.6.20.1.orig/mm/hugetlb.c ++++ linux-2.6.20.1/mm/hugetlb.c +@@ -389,6 +389,8 @@ void __unmap_hugepage_range(struct vm_ar + continue; + + page = pte_page(pte); ++ if (pte_dirty(pte)) ++ set_page_dirty(page); + list_add(&page->lru, &page_list); + } + spin_unlock(&mm->page_table_lock); diff --git a/queue-2.6.20/kernel-time-clocksource.c-needs-struct-task_struct-on-m68k.patch b/queue-2.6.20/kernel-time-clocksource.c-needs-struct-task_struct-on-m68k.patch new file mode 100644 index 00000000000..ec6a33ea917 --- /dev/null +++ b/queue-2.6.20/kernel-time-clocksource.c-needs-struct-task_struct-on-m68k.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Sat Feb 10 01:45:32 2007 +From: Mathieu Desnoyers +Date: Sat, 10 Feb 2007 01:43:43 -0800 +Subject: kernel/time/clocksource.c needs struct task_struct on m68k +To: torvalds@linux-foundation.org +Cc: mathieu.desnoyers@polymtl.ca, zippel@linux-m68k.org, stable@kernel.org, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu +Message-ID: <200702100943.l1A9hhaO008570@shell0.pdx.osdl.net> + + +From: Mathieu Desnoyers + +kernel/time/clocksource.c needs struct task_struct on m68k. + +Because it uses spin_unlock_irq(), which, on m68k, uses hardirq_count(), which +uses preempt_count(), which needs to dereference struct task_struct, we +have to include sched.h. Because it would cause a loop inclusion, we +cannot include sched.h in any other of asm-m68k/system.h, +linux/thread_info.h, linux/hardirq.h, which leaves this ugly include in +a C file as the only simple solution. + +Signed-off-by: Mathieu Desnoyers +Cc: Ingo Molnar +Cc: Roman Zippel +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clocksource.c | 1 + + 1 file changed, 1 insertion(+) + +--- linux-2.6.20.1.orig/kernel/time/clocksource.c ++++ linux-2.6.20.1/kernel/time/clocksource.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include /* for spin_unlock_irq() using preempt_count() m68k */ + + /* XXX - Would like a better way for initializing curr_clocksource */ + extern struct clocksource clocksource_jiffies; diff --git a/queue-2.6.20/kexec-fix-config_smp-n-compilation-v2.patch b/queue-2.6.20/kexec-fix-config_smp-n-compilation-v2.patch new file mode 100644 index 00000000000..ffd8ce2d3a6 --- /dev/null +++ b/queue-2.6.20/kexec-fix-config_smp-n-compilation-v2.patch @@ -0,0 +1,93 @@ +From stable-bounces@linux.kernel.org Mon Feb 5 16:22:39 2007 +From: Magnus Damm +Date: Mon, 05 Feb 2007 16:20:09 -0800 +Subject: kexec: Fix CONFIG_SMP=n compilation V2 (ia64) +To: tony.luck@intel.com +Cc: linux-ia64@vger.kernel.org, jlan@sgi.com, magnus@valinux.co.jp, horms@verge.net.au, akpm@linux-foundation.org, stable@kernel.org +Message-ID: <200702060021.l160LC1X004222@shell0.pdx.osdl.net> + + +From: Magnus Damm + +Kexec support for 2.6.20 on ia64 does not build properly using a config +made up by CONFIG_SMP=n and CONFIG_HOTPLUG_CPU=n: + + CC arch/ia64/kernel/machine_kexec.o +arch/ia64/kernel/machine_kexec.c: In function `machine_shutdown': +arch/ia64/kernel/machine_kexec.c:77: warning: implicit declaration of function `cpu_down' + AS arch/ia64/kernel/relocate_kernel.o + CC arch/ia64/kernel/crash.o +arch/ia64/kernel/crash.c: In function `kdump_cpu_freeze': +arch/ia64/kernel/crash.c:139: warning: implicit declaration of function `ia64_jump_to_sal' +arch/ia64/kernel/crash.c:139: error: `sal_boot_rendez_state' undeclared (first use in this function) +arch/ia64/kernel/crash.c:139: error: (Each undeclared identifier is reported only once +arch/ia64/kernel/crash.c:139: error: for each function it appears in.) +arch/ia64/kernel/crash.c: At top level: +arch/ia64/kernel/crash.c:84: warning: 'kdump_wait_cpu_freeze' defined but not used +make[1]: *** [arch/ia64/kernel/crash.o] Error 1 +make: *** [arch/ia64/kernel] Error 2 + +Signed-off-by: Magnus Damm +Acked-by: Simon Horman +Acked-by: Jay Lan +Cc: "Luck, Tony" +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/ia64/kernel/crash.c | 11 +++++++---- + arch/ia64/kernel/machine_kexec.c | 2 ++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- linux-2.6.20.1.orig/arch/ia64/kernel/crash.c ++++ linux-2.6.20.1/arch/ia64/kernel/crash.c +@@ -79,6 +79,7 @@ crash_save_this_cpu() + final_note(buf); + } + ++#ifdef CONFIG_SMP + static int + kdump_wait_cpu_freeze(void) + { +@@ -91,6 +92,7 @@ kdump_wait_cpu_freeze(void) + } + return 1; + } ++#endif + + void + machine_crash_shutdown(struct pt_regs *pt) +@@ -132,11 +134,12 @@ kdump_cpu_freeze(struct unw_frame_info * + atomic_inc(&kdump_cpu_freezed); + kdump_status[cpuid] = 1; + mb(); +- if (cpuid == 0) { +- for (;;) +- cpu_relax(); +- } else ++#ifdef CONFIG_HOTPLUG_CPU ++ if (cpuid != 0) + ia64_jump_to_sal(&sal_boot_rendez_state[cpuid]); ++#endif ++ for (;;) ++ cpu_relax(); + } + + static int +--- linux-2.6.20.1.orig/arch/ia64/kernel/machine_kexec.c ++++ linux-2.6.20.1/arch/ia64/kernel/machine_kexec.c +@@ -70,12 +70,14 @@ void machine_kexec_cleanup(struct kimage + + void machine_shutdown(void) + { ++#ifdef CONFIG_HOTPLUG_CPU + int cpu; + + for_each_online_cpu(cpu) { + if (cpu != smp_processor_id()) + cpu_down(cpu); + } ++#endif + kexec_disable_iosapic(); + } + diff --git a/queue-2.6.20/kvm-fix-asm-constraint-for-lldt-instruction.patch b/queue-2.6.20/kvm-fix-asm-constraint-for-lldt-instruction.patch new file mode 100644 index 00000000000..35258b6954a --- /dev/null +++ b/queue-2.6.20/kvm-fix-asm-constraint-for-lldt-instruction.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Mon Feb 12 00:56:50 2007 +From: S.Caglar Onur +Date: Mon, 12 Feb 2007 00:54:34 -0800 +Subject: kvm: Fix asm constraint for lldt instruction +To: torvalds@linux-foundation.org +Cc: caglar@pardus.org.tr, akpm@linux-foundation.org, mingo@elte.hu, avi@qumranet.com, stable@kernel.org +Message-ID: <200702120854.l1C8sYVm027152@shell0.pdx.osdl.net> + + +From: S.Caglar Onur + +lldt does not accept immediate operands, which "g" allows. + +Signed-off-by: S.Caglar Onur +Signed-off-by: Avi Kivity +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/kvm/kvm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.20.1.orig/drivers/kvm/kvm.h ++++ linux-2.6.20.1/drivers/kvm/kvm.h +@@ -558,7 +558,7 @@ static inline void load_gs(u16 sel) + #ifndef load_ldt + static inline void load_ldt(u16 sel) + { +- asm ("lldt %0" : : "g"(sel)); ++ asm ("lldt %0" : : "rm"(sel)); + } + #endif + diff --git a/queue-2.6.20/lockdep-forward-declare-struct-task_struct.patch b/queue-2.6.20/lockdep-forward-declare-struct-task_struct.patch new file mode 100644 index 00000000000..761f99213b3 --- /dev/null +++ b/queue-2.6.20/lockdep-forward-declare-struct-task_struct.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Mon Feb 12 00:54:10 2007 +Date: Mon, 12 Feb 2007 00:52:20 -0800 +From: Heiko Carstens +Subject: lockdep: forward declare struct task_struct +To: torvalds@linux-foundation.org +Cc: schwidefsky@de.ibm.com, akpm@linux-foundation.org, heiko.carstens@de.ibm.com, mingo@elte.hu, stable@kernel.org +Message-ID: <200702120852.l1C8qKJr026562@shell0.pdx.osdl.net> + + +From: Heiko Carstens + +3117df0453828bd045c16244e6f50e5714667a8a causes this: + +In file included from arch/s390/kernel/early.c:13: +include/linux/lockdep.h:300: warning: + "struct task_struct" declared inside parameter list +include/linux/lockdep.h:300: + warning: its scope is only this definition or + declaration, which is probably not what you want + +Acked-by: Ingo Molnar +Cc: Martin Schwidefsky +Signed-off-by: Heiko Carstens +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/lockdep.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.20.1.orig/include/linux/lockdep.h ++++ linux-2.6.20.1/include/linux/lockdep.h +@@ -8,6 +8,8 @@ + #ifndef __LINUX_LOCKDEP_H + #define __LINUX_LOCKDEP_H + ++struct task_struct; ++ + #ifdef CONFIG_LOCKDEP + + #include diff --git a/queue-2.6.20/m32r-build-fix-for-processors-without-isa_dsp_level2.patch b/queue-2.6.20/m32r-build-fix-for-processors-without-isa_dsp_level2.patch new file mode 100644 index 00000000000..86f26310abc --- /dev/null +++ b/queue-2.6.20/m32r-build-fix-for-processors-without-isa_dsp_level2.patch @@ -0,0 +1,80 @@ +From stable-bounces@linux.kernel.org Sat Feb 10 01:45:13 2007 +From: Hirokazu Takata +Date: Sat, 10 Feb 2007 01:43:35 -0800 +Subject: m32r: build fix for processors without ISA_DSP_LEVEL2 +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, takata@linux-m32r.org, stable@kernel.org +Message-ID: <200702100943.l1A9ha01008543@shell0.pdx.osdl.net> + + +From: Hirokazu Takata + +Additional fixes for processors without ISA_DSP_LEVEL2. sigcontext_t does not +have dummy_acc1h, dummy_acc1l members any longer. + +Signed-off-by: Hirokazu Takata +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m32r/kernel/process.c | 2 +- + arch/m32r/kernel/signal.c | 26 ++++---------------------- + 2 files changed, 5 insertions(+), 23 deletions(-) + +--- linux-2.6.20.1.orig/arch/m32r/kernel/process.c ++++ linux-2.6.20.1/arch/m32r/kernel/process.c +@@ -174,7 +174,7 @@ void show_regs(struct pt_regs * regs) + regs->acc1h, regs->acc1l); + #elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R) + printk("ACCH[%08lx]:ACCL[%08lx]\n", \ +- regs->acch, regs->accl); ++ regs->acc0h, regs->acc0l); + #else + #error unknown isa configuration + #endif +--- linux-2.6.20.1.orig/arch/m32r/kernel/signal.c ++++ linux-2.6.20.1/arch/m32r/kernel/signal.c +@@ -109,19 +109,10 @@ restore_sigcontext(struct pt_regs *regs, + COPY(r10); + COPY(r11); + COPY(r12); +-#if defined(CONFIG_ISA_M32R2) && defined(CONFIG_ISA_DSP_LEVEL2) + COPY(acc0h); + COPY(acc0l); +- COPY(acc1h); +- COPY(acc1l); +-#elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R) +- COPY(acch); +- COPY(accl); +- COPY(dummy_acc1h); +- COPY(dummy_acc1l); +-#else +-#error unknown isa configuration +-#endif ++ COPY(acc1h); /* ISA_DSP_LEVEL2 only */ ++ COPY(acc1l); /* ISA_DSP_LEVEL2 only */ + COPY(psw); + COPY(bpc); + COPY(bbpsw); +@@ -196,19 +187,10 @@ setup_sigcontext(struct sigcontext __use + COPY(r10); + COPY(r11); + COPY(r12); +-#if defined(CONFIG_ISA_M32R2) && defined(CONFIG_ISA_DSP_LEVEL2) + COPY(acc0h); + COPY(acc0l); +- COPY(acc1h); +- COPY(acc1l); +-#elif defined(CONFIG_ISA_M32R2) || defined(CONFIG_ISA_M32R) +- COPY(acch); +- COPY(accl); +- COPY(dummy_acc1h); +- COPY(dummy_acc1l); +-#else +-#error unknown isa configuration +-#endif ++ COPY(acc1h); /* ISA_DSP_LEVEL2 only */ ++ COPY(acc1l); /* ISA_DSP_LEVEL2 only */ + COPY(psw); + COPY(bpc); + COPY(bbpsw); diff --git a/queue-2.6.20/nlm-fix-double-free-in-__nlm_async_call.patch b/queue-2.6.20/nlm-fix-double-free-in-__nlm_async_call.patch new file mode 100644 index 00000000000..9bf9a878db5 --- /dev/null +++ b/queue-2.6.20/nlm-fix-double-free-in-__nlm_async_call.patch @@ -0,0 +1,66 @@ +From stable-bounces@linux.kernel.org Mon Feb 5 12:34:58 2007 +From: Trond Myklebust +Date: Mon, 05 Feb 2007 12:33:23 -0800 +Subject: NLM: Fix double free in __nlm_async_call +To: stable@kernel.org +Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com +Message-ID: <200702052033.l15KXNCl030349@shell0.pdx.osdl.net> + + +From: Trond Myklebust + +rpc_call_async() will always call rpc_release_calldata(), so it is an +error for __nlm_async_call() to do so as well. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923 + +Signed-off-by: Trond Myklebust +Cc: Jan "Yenya" Kasprzak +Cc: Neil Brown +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/clntproc.c | 9 +++------ + fs/lockd/svclock.c | 4 +--- + 2 files changed, 4 insertions(+), 9 deletions(-) + +--- linux-2.6.20.1.orig/fs/lockd/clntproc.c ++++ linux-2.6.20.1/fs/lockd/clntproc.c +@@ -361,7 +361,6 @@ static int __nlm_async_call(struct nlm_r + { + struct nlm_host *host = req->a_host; + struct rpc_clnt *clnt; +- int status = -ENOLCK; + + dprintk("lockd: call procedure %d on %s (async)\n", + (int)proc, host->h_name); +@@ -373,12 +372,10 @@ static int __nlm_async_call(struct nlm_r + msg->rpc_proc = &clnt->cl_procinfo[proc]; + + /* bootstrap and kick off the async RPC call */ +- status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req); +- if (status == 0) +- return 0; ++ return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req); + out_err: +- nlm_release_call(req); +- return status; ++ tk_ops->rpc_release(req); ++ return -ENOLCK; + } + + int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops) +--- linux-2.6.20.1.orig/fs/lockd/svclock.c ++++ linux-2.6.20.1/fs/lockd/svclock.c +@@ -593,9 +593,7 @@ callback: + + /* Call the client */ + kref_get(&block->b_count); +- if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, +- &nlmsvc_grant_ops) < 0) +- nlmsvc_release_block(block); ++ nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops); + } + + /* diff --git a/queue-2.6.20/rpm-fix-double-free-in-portmapper-code.patch b/queue-2.6.20/rpm-fix-double-free-in-portmapper-code.patch new file mode 100644 index 00000000000..d0ccd53a77d --- /dev/null +++ b/queue-2.6.20/rpm-fix-double-free-in-portmapper-code.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Mon Feb 5 12:34:58 2007 +From: Trond Myklebust +Date: Mon, 05 Feb 2007 12:33:22 -0800 +Subject: RPM: fix double free in portmapper code +To: stable@kernel.org +Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com +Message-ID: <200702052033.l15KXMIU030346@shell0.pdx.osdl.net> + + +From: Trond Myklebust + +rpc_run_task is guaranteed to always call ->rpc_release. + +Signed-off-by: Trond Myklebust +Cc: Neil Brown +Cc: Jan "Yenya" Kasprzak +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + + +--- + net/sunrpc/pmap_clnt.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- linux-2.6.20.1.orig/net/sunrpc/pmap_clnt.c ++++ linux-2.6.20.1/net/sunrpc/pmap_clnt.c +@@ -62,7 +62,10 @@ static inline void pmap_map_free(struct + + static void pmap_map_release(void *data) + { +- pmap_map_free(data); ++ struct portmap_args *map = data; ++ ++ xprt_put(map->pm_xprt); ++ pmap_map_free(map); + } + + static const struct rpc_call_ops pmap_getport_ops = { +@@ -133,7 +136,7 @@ void rpc_getport(struct rpc_task *task) + status = -EIO; + child = rpc_run_task(pmap_clnt, RPC_TASK_ASYNC, &pmap_getport_ops, map); + if (IS_ERR(child)) +- goto bailout; ++ goto bailout_nofree; + rpc_put_task(child); + + task->tk_xprt->stat.bind_count++; +@@ -222,7 +225,6 @@ static void pmap_getport_done(struct rpc + child->tk_pid, status, map->pm_port); + + pmap_wake_portmap_waiters(xprt, status); +- xprt_put(xprt); + } + + /** diff --git a/queue-2.6.20/series b/queue-2.6.20/series index d2cc7ddc4bd..c8efe521de5 100644 --- a/queue-2.6.20/series +++ b/queue-2.6.20/series @@ -76,3 +76,17 @@ sched-fix-smt-scheduler-bug.patch usb-usbnet-driver-bugfix.patch backport-of-psmouse-suspend-shutdown-cleanups.patch revert-log2-alter-get_order-so-that-it-can-make-use-of-ilog2-on-a-constant.patch +rpm-fix-double-free-in-portmapper-code.patch +nlm-fix-double-free-in-__nlm_async_call.patch +kexec-fix-config_smp-n-compilation-v2.patch +fix-mtrr-compat-ioctl.patch +ufs-restore-back-support-of-openstep.patch +v9fs_vfs_mkdir-fix-a-double-free.patch +enable-mouse-button-2-3-emulation-for-x86-macs.patch +hugetlb-preserve-hugetlb-pte-dirty-state.patch +m32r-build-fix-for-processors-without-isa_dsp_level2.patch +kernel-time-clocksource.c-needs-struct-task_struct-on-m68k.patch +buffer-memorder-fix.patch +char-specialix-isr-have-2-params.patch +lockdep-forward-declare-struct-task_struct.patch +kvm-fix-asm-constraint-for-lldt-instruction.patch diff --git a/queue-2.6.20/ufs-restore-back-support-of-openstep.patch b/queue-2.6.20/ufs-restore-back-support-of-openstep.patch new file mode 100644 index 00000000000..7bdaa0dc00d --- /dev/null +++ b/queue-2.6.20/ufs-restore-back-support-of-openstep.patch @@ -0,0 +1,176 @@ +From stable-bounces@linux.kernel.org Thu Feb 8 14:21:58 2007 +From: Evgeniy Dushistov +Date: Thu, 08 Feb 2007 14:20:25 -0800 +Subject: ufs: restore back support of openstep +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, dushistov@mail.ru, stable@kernel.org +Message-ID: <200702082220.l18MKQcn028473@shell0.pdx.osdl.net> + + +From: Evgeniy Dushistov + +This is a fix of regression, which triggered by ~2.6.16. + +Patch with name ufs-directory-and-page-cache-from-blocks-to-pages.patch: in +additional to conversation from block to page cache mechanism added new +checks of directory integrity, one of them that directory entry do not +across directory chunks. + +But some kinds of UFS: OpenStep UFS and Apple UFS (looks like these are the +same filesystems) have different directory chunk size, then common +UFSes(BSD and Solaris UFS). + +So this patch adds ability to works with variable size of directory chunks, +and set it for ufstype=openstep to right size. + +Tested on darwin ufs. + +Signed-off-by: Evgeniy Dushistov +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/dir.c | 21 ++++++++++++--------- + fs/ufs/super.c | 5 ++++- + include/linux/ufs_fs.h | 1 + + 3 files changed, 17 insertions(+), 10 deletions(-) + +--- linux-2.6.20.1.orig/fs/ufs/dir.c ++++ linux-2.6.20.1/fs/ufs/dir.c +@@ -106,12 +106,13 @@ static void ufs_check_page(struct page * + char *kaddr = page_address(page); + unsigned offs, rec_len; + unsigned limit = PAGE_CACHE_SIZE; ++ const unsigned chunk_mask = UFS_SB(sb)->s_uspi->s_dirblksize - 1; + struct ufs_dir_entry *p; + char *error; + + if ((dir->i_size >> PAGE_CACHE_SHIFT) == page->index) { + limit = dir->i_size & ~PAGE_CACHE_MASK; +- if (limit & (UFS_SECTOR_SIZE - 1)) ++ if (limit & chunk_mask) + goto Ebadsize; + if (!limit) + goto out; +@@ -126,7 +127,7 @@ static void ufs_check_page(struct page * + goto Ealign; + if (rec_len < UFS_DIR_REC_LEN(ufs_get_de_namlen(sb, p))) + goto Enamelen; +- if (((offs + rec_len - 1) ^ offs) & ~(UFS_SECTOR_SIZE-1)) ++ if (((offs + rec_len - 1) ^ offs) & ~chunk_mask) + goto Espan; + if (fs32_to_cpu(sb, p->d_ino) > (UFS_SB(sb)->s_uspi->s_ipg * + UFS_SB(sb)->s_uspi->s_ncg)) +@@ -310,6 +311,7 @@ int ufs_add_link(struct dentry *dentry, + int namelen = dentry->d_name.len; + struct super_block *sb = dir->i_sb; + unsigned reclen = UFS_DIR_REC_LEN(namelen); ++ const unsigned int chunk_size = UFS_SB(sb)->s_uspi->s_dirblksize; + unsigned short rec_len, name_len; + struct page *page = NULL; + struct ufs_dir_entry *de; +@@ -342,8 +344,8 @@ int ufs_add_link(struct dentry *dentry, + if ((char *)de == dir_end) { + /* We hit i_size */ + name_len = 0; +- rec_len = UFS_SECTOR_SIZE; +- de->d_reclen = cpu_to_fs16(sb, UFS_SECTOR_SIZE); ++ rec_len = chunk_size; ++ de->d_reclen = cpu_to_fs16(sb, chunk_size); + de->d_ino = 0; + goto got_it; + } +@@ -431,7 +433,7 @@ ufs_readdir(struct file *filp, void *dir + unsigned int offset = pos & ~PAGE_CACHE_MASK; + unsigned long n = pos >> PAGE_CACHE_SHIFT; + unsigned long npages = ufs_dir_pages(inode); +- unsigned chunk_mask = ~(UFS_SECTOR_SIZE - 1); ++ unsigned chunk_mask = ~(UFS_SB(sb)->s_uspi->s_dirblksize - 1); + int need_revalidate = filp->f_version != inode->i_version; + unsigned flags = UFS_SB(sb)->s_flags; + +@@ -511,7 +513,7 @@ int ufs_delete_entry(struct inode *inode + struct super_block *sb = inode->i_sb; + struct address_space *mapping = page->mapping; + char *kaddr = page_address(page); +- unsigned from = ((char*)dir - kaddr) & ~(UFS_SECTOR_SIZE - 1); ++ unsigned from = ((char*)dir - kaddr) & ~(UFS_SB(sb)->s_uspi->s_dirblksize - 1); + unsigned to = ((char*)dir - kaddr) + fs16_to_cpu(sb, dir->d_reclen); + struct ufs_dir_entry *pde = NULL; + struct ufs_dir_entry *de = (struct ufs_dir_entry *) (kaddr + from); +@@ -556,6 +558,7 @@ int ufs_make_empty(struct inode * inode, + struct super_block * sb = dir->i_sb; + struct address_space *mapping = inode->i_mapping; + struct page *page = grab_cache_page(mapping, 0); ++ const unsigned int chunk_size = UFS_SB(sb)->s_uspi->s_dirblksize; + struct ufs_dir_entry * de; + char *base; + int err; +@@ -563,7 +566,7 @@ int ufs_make_empty(struct inode * inode, + if (!page) + return -ENOMEM; + kmap(page); +- err = mapping->a_ops->prepare_write(NULL, page, 0, UFS_SECTOR_SIZE); ++ err = mapping->a_ops->prepare_write(NULL, page, 0, chunk_size); + if (err) { + unlock_page(page); + goto fail; +@@ -584,11 +587,11 @@ int ufs_make_empty(struct inode * inode, + ((char *)de + fs16_to_cpu(sb, de->d_reclen)); + de->d_ino = cpu_to_fs32(sb, dir->i_ino); + ufs_set_de_type(sb, de, dir->i_mode); +- de->d_reclen = cpu_to_fs16(sb, UFS_SECTOR_SIZE - UFS_DIR_REC_LEN(1)); ++ de->d_reclen = cpu_to_fs16(sb, chunk_size - UFS_DIR_REC_LEN(1)); + ufs_set_de_namlen(sb, de, 2); + strcpy (de->d_name, ".."); + +- err = ufs_commit_chunk(page, 0, UFS_SECTOR_SIZE); ++ err = ufs_commit_chunk(page, 0, chunk_size); + fail: + kunmap(page); + page_cache_release(page); +--- linux-2.6.20.1.orig/fs/ufs/super.c ++++ linux-2.6.20.1/fs/ufs/super.c +@@ -649,7 +649,7 @@ static int ufs_fill_super(struct super_b + kmalloc (sizeof(struct ufs_sb_private_info), GFP_KERNEL); + if (!uspi) + goto failed; +- ++ uspi->s_dirblksize = UFS_SECTOR_SIZE; + super_block_offset=UFS_SBLOCK; + + /* Keep 2Gig file limit. Some UFS variants need to override +@@ -718,6 +718,7 @@ static int ufs_fill_super(struct super_b + break; + + case UFS_MOUNT_UFSTYPE_NEXTSTEP: ++ /*TODO: check may be we need set special dir block size?*/ + UFSD("ufstype=nextstep\n"); + uspi->s_fsize = block_size = 1024; + uspi->s_fmask = ~(1024 - 1); +@@ -733,6 +734,7 @@ static int ufs_fill_super(struct super_b + break; + + case UFS_MOUNT_UFSTYPE_NEXTSTEP_CD: ++ /*TODO: check may be we need set special dir block size?*/ + UFSD("ufstype=nextstep-cd\n"); + uspi->s_fsize = block_size = 2048; + uspi->s_fmask = ~(2048 - 1); +@@ -754,6 +756,7 @@ static int ufs_fill_super(struct super_b + uspi->s_fshift = 10; + uspi->s_sbsize = super_block_size = 2048; + uspi->s_sbbase = 0; ++ uspi->s_dirblksize = 1024; + flags |= UFS_DE_44BSD | UFS_UID_44BSD | UFS_ST_44BSD | UFS_CG_44BSD; + if (!(sb->s_flags & MS_RDONLY)) { + if (!silent) +--- linux-2.6.20.1.orig/include/linux/ufs_fs.h ++++ linux-2.6.20.1/include/linux/ufs_fs.h +@@ -789,6 +789,7 @@ struct ufs_sb_private_info { + + __u32 s_maxsymlinklen;/* upper limit on fast symlinks' size */ + __s32 fs_magic; /* filesystem magic */ ++ unsigned int s_dirblksize; + }; + + /* diff --git a/queue-2.6.20/v9fs_vfs_mkdir-fix-a-double-free.patch b/queue-2.6.20/v9fs_vfs_mkdir-fix-a-double-free.patch new file mode 100644 index 00000000000..ed1c2197f4c --- /dev/null +++ b/queue-2.6.20/v9fs_vfs_mkdir-fix-a-double-free.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Thu Feb 8 14:22:20 2007 +From: Adrian Bunk +Date: Thu, 08 Feb 2007 14:20:38 -0800 +Subject: v9fs_vfs_mkdir(): fix a double free +To: torvalds@linux-foundation.org +Cc: ericvh@gmail.com, akpm@linux-foundation.org, stable@kernel.org, bunk@stusta.de +Message-ID: <200702082220.l18MKcCN028498@shell0.pdx.osdl.net> + + +From: Adrian Bunk + +Fix a double free of "dfid" introduced by commit +da977b2c7eb4d6312f063a7b486f2aad99809710 and spotted by the Coverity +checker. + +Signed-off-by: Adrian Bunk +Cc: Eric Van Hensbergen +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + + fs/9p/vfs_inode.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- linux-2.6.20.1.orig/fs/9p/vfs_inode.c ++++ linux-2.6.20.1/fs/9p/vfs_inode.c +@@ -585,17 +585,14 @@ static int v9fs_vfs_mkdir(struct inode * + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + inode = NULL; +- goto clean_up_fids; ++ v9fs_fid_destroy(vfid); ++ goto error; + } + + dentry->d_op = &v9fs_dentry_operations; + d_instantiate(dentry, inode); + return 0; + +-clean_up_fids: +- if (vfid) +- v9fs_fid_destroy(vfid); +- + clean_up_dfid: + v9fs_fid_clunk(v9ses, dfid); +