From: Greg Kroah-Hartman Date: Thu, 5 Nov 2009 23:46:26 +0000 (-0800) Subject: start .27 queue X-Git-Tag: v2.6.31.6~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc52e4ec3752f88736d03a5278504b5bf35df6af;p=thirdparty%2Fkernel%2Fstable-queue.git start .27 queue --- diff --git a/queue-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch b/queue-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch new file mode 100644 index 00000000000..157ddcc8b87 --- /dev/null +++ b/queue-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch @@ -0,0 +1,73 @@ +From c68d2b1594548cda7f6dbac6a4d9d30a9b01558c Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 26 Oct 2009 16:50:05 -0700 +Subject: 8250_pci: add IBM Saturn serial card + +From: Benjamin Herrenschmidt + +commit c68d2b1594548cda7f6dbac6a4d9d30a9b01558c upstream. + +The IBM Saturn serial card has only one port. Without that fixup, +the kernel thinks it has two, which confuses userland setup and +admin tools as well. + +[akpm@linux-foundation.org: fix pci-ids.h layout] +Signed-off-by: Benjamin Herrenschmidt +Acked-by: Alan Cox +Cc: Michael Reed +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/8250_pci.c | 11 +++++++++++ + include/linux/pci_ids.h | 3 +++ + 2 files changed, 14 insertions(+) + +--- a/drivers/serial/8250_pci.c ++++ b/drivers/serial/8250_pci.c +@@ -1218,6 +1218,7 @@ enum pci_board_num_t { + pbn_exar_XR17C152, + pbn_exar_XR17C154, + pbn_exar_XR17C158, ++ pbn_exar_ibm_saturn, + pbn_pasemi_1682M, + }; + +@@ -1746,6 +1747,13 @@ static struct pciserial_board pci_boards + .base_baud = 921600, + .uart_offset = 0x200, + }, ++ [pbn_exar_ibm_saturn] = { ++ .flags = FL_BASE0, ++ .num_ports = 1, ++ .base_baud = 921600, ++ .uart_offset = 0x200, ++ }, ++ + /* + * PA Semi PWRficient PA6T-1682M on-chip UART + */ +@@ -2217,6 +2225,9 @@ static struct pci_device_id serial_pci_t + PCI_SUBVENDOR_ID_CONNECT_TECH, + PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_485, 0, 0, + pbn_b0_8_1843200_200 }, ++ { PCI_VENDOR_ID_EXAR, PCI_DEVICE_ID_EXAR_XR17C152, ++ PCI_VENDOR_ID_IBM, PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT, ++ 0, 0, pbn_exar_ibm_saturn }, + + { PCI_VENDOR_ID_SEALEVEL, PCI_DEVICE_ID_SEALEVEL_U530, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -478,6 +478,9 @@ + #define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM_PCIE 0x0361 + #define PCI_DEVICE_ID_IBM_ICOM_FOUR_PORT_MODEL 0x252 + ++#define PCI_SUBVENDOR_ID_IBM 0x1014 ++#define PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT 0x03d4 ++ + #define PCI_VENDOR_ID_UNISYS 0x1018 + #define PCI_DEVICE_ID_UNISYS_DMA_DIRECTOR 0x001C + diff --git a/queue-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch b/queue-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch new file mode 100644 index 00000000000..6c7bce8b082 --- /dev/null +++ b/queue-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch @@ -0,0 +1,39 @@ +From d50bae33d1358b909ade05ae121d83d3a60ab63f Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 16 Oct 2009 10:18:09 -0500 +Subject: b43: Fix Bugzilla #14181 and the bug from the previous 'fix' + +From: Larry Finger + +commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream. + +"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported +in Bugzilla No. 14181; however, it introduced a new bug. Whenever the +radio switch was turned off, it was necessary to unload and reload +the driver for it to recognize the switch again. + +This patch fixes both the original bug in #14181 and the bug introduced by +the previous patch. It must be stated, however, that if there is a BCM4306/3 +with an rfkill switch (not yet proven), then the driver will need an +unload/reload cycle to turn the device back on. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/rfkill.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/rfkill.c ++++ b/drivers/net/wireless/b43/rfkill.c +@@ -36,7 +36,8 @@ static bool b43_is_hw_radio_enabled(stru + & B43_MMIO_RADIO_HWENABLED_HI_MASK)) + return 1; + } else { +- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) ++ if (b43_status(dev) >= B43_STAT_STARTED && ++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) + & B43_MMIO_RADIO_HWENABLED_LO_MASK) + return 1; + } diff --git a/queue-2.6.27/dpt_i2o-fix-typo-of-einval.patch b/queue-2.6.27/dpt_i2o-fix-typo-of-einval.patch new file mode 100644 index 00000000000..423a9d8428a --- /dev/null +++ b/queue-2.6.27/dpt_i2o-fix-typo-of-einval.patch @@ -0,0 +1,32 @@ +From aefba418bfecd1985a08f50a95bd854a119f0153 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Fri, 30 Oct 2009 17:02:31 +0900 +Subject: dpt_i2o: Fix typo of EINVAL + +From: OGAWA Hirofumi + +commit aefba418bfecd1985a08f50a95bd854a119f0153 upstream. + +Commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 ("dpt_i2o: Fix up +copy*user") had a silly typo: EINVAL should be -EINVAL. + +Signed-off-by: OGAWA Hirofumi +Cc: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/dpt_i2o.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/dpt_i2o.c ++++ b/drivers/scsi/dpt_i2o.c +@@ -1919,7 +1919,7 @@ static int adpt_i2o_passthru(adpt_hba* p + size = size>>16; + size *= 4; + if (size > MAX_MESSAGE_SIZE) { +- rcode = EINVAL; ++ rcode = -EINVAL; + goto cleanup; + } + /* Copy in the user's I2O command */ diff --git a/queue-2.6.27/dpt_i2o-fix-up-copy-user.patch b/queue-2.6.27/dpt_i2o-fix-up-copy-user.patch new file mode 100644 index 00000000000..ec0bad7a1cf --- /dev/null +++ b/queue-2.6.27/dpt_i2o-fix-up-copy-user.patch @@ -0,0 +1,30 @@ +From ef7562b7f28319e6dd1f85dc1af87df2a7a84832 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 27 Oct 2009 15:35:35 +0000 +Subject: dpt_i2o: Fix up copy*user + +From: Alan Cox + +commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 upstream. + +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/dpt_i2o.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/dpt_i2o.c ++++ b/drivers/scsi/dpt_i2o.c +@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* p + } + size = size>>16; + size *= 4; ++ if (size > MAX_MESSAGE_SIZE) { ++ rcode = EINVAL; ++ goto cleanup; ++ } + /* Copy in the user's I2O command */ + if (copy_from_user (msg, user_msg, size)) { + rcode = -EFAULT; diff --git a/queue-2.6.27/driver-core-fix-driver_register-return-value.patch b/queue-2.6.27/driver-core-fix-driver_register-return-value.patch new file mode 100644 index 00000000000..d50adf58af1 --- /dev/null +++ b/queue-2.6.27/driver-core-fix-driver_register-return-value.patch @@ -0,0 +1,35 @@ +From 39acbc12affcaa23ef1d887ba3d197baca8e6e47 Mon Sep 17 00:00:00 2001 +From: Stas Sergeev +Date: Sun, 18 Oct 2009 00:31:38 +0400 +Subject: Driver core: fix driver_register() return value + +From: Stas Sergeev + +commit 39acbc12affcaa23ef1d887ba3d197baca8e6e47 upstream. + +In this patch: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c +the check was added for another driver to already claim the same device +on the same bus. But the returned error code was wrong: to modprobe, the +-EEXIST means that _this_ driver is already installed. It therefore +doesn't produce the needed error message when _another_ driver is trying +to register for the same device. Returning -EBUSY fixes the problem. + +Signed-off-by: Stas Sergeev +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/driver.c ++++ b/drivers/base/driver.c +@@ -227,7 +227,7 @@ int driver_register(struct device_driver + put_driver(other); + printk(KERN_ERR "Error: Driver '%s' is already registered, " + "aborting...\n", drv->name); +- return -EEXIST; ++ return -EBUSY; + } + + ret = bus_add_driver(drv); diff --git a/queue-2.6.27/fs-pipe.c-null-pointer-dereference.patch b/queue-2.6.27/fs-pipe.c-null-pointer-dereference.patch new file mode 100644 index 00000000000..4e63f84da22 --- /dev/null +++ b/queue-2.6.27/fs-pipe.c-null-pointer-dereference.patch @@ -0,0 +1,135 @@ +From ad3960243e55320d74195fb85c975e0a8cc4466c Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Mon, 19 Oct 2009 15:55:41 -0700 +Subject: fs: pipe.c null pointer dereference + +From: Earl Chew + +commit ad3960243e55320d74195fb85c975e0a8cc4466c upstream. + +This patch fixes a null pointer exception in pipe_rdwr_open() which +generates the stack trace: + +> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP: +> [] pipe_rdwr_open+0x35/0x70 +> [] __dentry_open+0x13c/0x230 +> [] do_filp_open+0x2d/0x40 +> [] do_sys_open+0x5a/0x100 +> [] sysenter_do_call+0x1b/0x67 + +The failure mode is triggered by an attempt to open an anonymous +pipe via /proc/pid/fd/* as exemplified by this script: + +============================================================= +while : ; do + { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } & + PID=$! + OUT=$(ps -efl | grep 'sleep 1' | grep -v grep | + { read PID REST ; echo $PID; } ) + OUT="${OUT%% *}" + DELAY=$((RANDOM * 1000 / 32768)) + usleep $((DELAY * 1000 + RANDOM % 1000 )) + echo n > /proc/$OUT/fd/1 # Trigger defect +done +============================================================= + +Note that the failure window is quite small and I could only +reliably reproduce the defect by inserting a small delay +in pipe_rdwr_open(). For example: + + static int + pipe_rdwr_open(struct inode *inode, struct file *filp) + { + msleep(100); + mutex_lock(&inode->i_mutex); + +Although the defect was observed in pipe_rdwr_open(), I think it +makes sense to replicate the change through all the pipe_*_open() +functions. + +The core of the change is to verify that inode->i_pipe has not +been released before attempting to manipulate it. If inode->i_pipe +is no longer present, return ENOENT to indicate so. + +The comment about potentially using atomic_t for i_pipe->readers +and i_pipe->writers has also been removed because it is no longer +relevant in this context. The inode->i_mutex lock must be used so +that inode->i_pipe can be dealt with correctly. + +Signed-off-by: Earl Chew +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pipe.c | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -742,36 +742,55 @@ pipe_rdwr_release(struct inode *inode, s + static int + pipe_read_open(struct inode *inode, struct file *filp) + { +- /* We could have perhaps used atomic_t, but this and friends +- below are the only places. So it doesn't seem worthwhile. */ ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- inode->i_pipe->readers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ inode->i_pipe->readers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + static int + pipe_write_open(struct inode *inode, struct file *filp) + { ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- inode->i_pipe->writers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ inode->i_pipe->writers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + static int + pipe_rdwr_open(struct inode *inode, struct file *filp) + { ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- if (filp->f_mode & FMODE_READ) +- inode->i_pipe->readers++; +- if (filp->f_mode & FMODE_WRITE) +- inode->i_pipe->writers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ if (filp->f_mode & FMODE_READ) ++ inode->i_pipe->readers++; ++ if (filp->f_mode & FMODE_WRITE) ++ inode->i_pipe->writers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + /* diff --git a/queue-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch b/queue-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch new file mode 100644 index 00000000000..1ea38eb292f --- /dev/null +++ b/queue-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch @@ -0,0 +1,47 @@ +From 5c36fe3d87b3f0c85894a49193c66096a3d6b26f Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 26 Oct 2009 16:49:51 -0700 +Subject: hfsplus: refuse to mount volumes larger than 2TB + +From: Ben Hutchings + +commit 5c36fe3d87b3f0c85894a49193c66096a3d6b26f upstream. + +As found in , hfsplus is using type u32 +rather than sector_t for some sector number calculations. + +In particular, hfsplus_get_block() does: + + u32 ablock, dblock, mask; +... + map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask)); + +I am not confident that I can find and fix all cases where a sector number +may be truncated. For now, avoid data loss by refusing to mount HFS+ +volumes with more than 2^32 sectors (2TB). + +[akpm@linux-foundation.org: fix 32 and 64-bit issues] +Signed-off-by: Ben Hutchings +Cc: Eric Sesterhenn +Cc: Roman Zippel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/wrapper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/hfsplus/wrapper.c ++++ b/fs/hfsplus/wrapper.c +@@ -99,6 +99,10 @@ int hfsplus_read_wrapper(struct super_bl + + if (hfsplus_get_last_session(sb, &part_start, &part_size)) + return -EINVAL; ++ if ((u64)part_start + part_size > 0x100000000ULL) { ++ pr_err("hfs: volumes larger than 2TB are not supported yet\n"); ++ return -EINVAL; ++ } + while (1) { + bh = sb_bread512(sb, part_start + HFSPLUS_VOLHEAD_SECTOR, vhdr); + if (!bh) diff --git a/queue-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch b/queue-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch new file mode 100644 index 00000000000..dda1bf304da --- /dev/null +++ b/queue-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch @@ -0,0 +1,42 @@ +From 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 12 Oct 2009 21:35:00 -0700 +Subject: Input: synaptics - add another Protege M300 to rate blacklist + +From: Dmitry Torokhov + +commit 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 upstream. + +Apparently some of Toshiba Protege M300 identify themselves as +"Portable PC" in DMI so we need to add that to the DMI table as +well. We need DMI data so we can automatically lower Synaptics +reporting rate from 80 to 40 pps to avoid over-taxing their +keyboard controllers. + +Tested-by: Rod Davison +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -623,6 +623,16 @@ static const struct dmi_system_id toshib + DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"), + }, ++ ++ }, ++ { ++ .ident = "Toshiba Portege M300", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"), ++ }, ++ + }, + { } + }; diff --git a/queue-2.6.27/libata-fix-internal-command-failure-handling.patch b/queue-2.6.27/libata-fix-internal-command-failure-handling.patch new file mode 100644 index 00000000000..c5d6472841d --- /dev/null +++ b/queue-2.6.27/libata-fix-internal-command-failure-handling.patch @@ -0,0 +1,51 @@ +From f4b31db92d163df8a639f5a8c8633bdeb6e8432d Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 16 Oct 2009 13:00:51 +0900 +Subject: libata: fix internal command failure handling + +From: Tejun Heo + +commit f4b31db92d163df8a639f5a8c8633bdeb6e8432d upstream. + +When an internal command fails, it should be failed directly without +invoking EH. In the original implemetation, this was accomplished by +letting internal command bypass failure handling in ata_qc_complete(). +However, later changes added post-successful-completion handling to +that code path and the success path is no longer adequate as internal +command failure path. One of the visible problems is that internal +command failure due to timeout or other freeze conditions would +spuriously trigger WARN_ON_ONCE() in the success path. + +This patch updates failure path such that internal command failure +handling is contained there. + +Signed-off-by: Tejun Heo +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4747,12 +4747,14 @@ void ata_qc_complete(struct ata_queued_c + qc->flags |= ATA_QCFLAG_FAILED; + + if (unlikely(qc->flags & ATA_QCFLAG_FAILED)) { +- if (!ata_tag_internal(qc->tag)) { +- /* always fill result TF for failed qc */ +- fill_result_tf(qc); ++ /* always fill result TF for failed qc */ ++ fill_result_tf(qc); ++ ++ if (!ata_tag_internal(qc->tag)) + ata_qc_schedule_eh(qc); +- return; +- } ++ else ++ __ata_qc_complete(qc); ++ return; + } + + /* read result TF if requested */ diff --git a/queue-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch b/queue-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch new file mode 100644 index 00000000000..274ff86077e --- /dev/null +++ b/queue-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch @@ -0,0 +1,41 @@ +From e9024a059f2c17fb2bfab212ee9d31511d7b8e57 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Fri, 30 Oct 2009 17:45:14 +0000 +Subject: libertas if_usb: Fix crash on 64-bit machines + +From: David Woodhouse + +commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream. + +On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas +usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting +crashes. Fix that by using skb->data instead. + +This highlights a problem with usb_fill_bulk_urb(). It doesn't notice +when dma_map_single() fails and return the error to its caller as it +should. In fact it _can't_ currently return the error, since it returns +void. + +So this problem was showing up only at unmap time, after we'd already +suffered memory corruption by doing DMA to a bogus address. + +Signed-off-by: David Woodhouse +Acked-by: David S. Miller +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/libertas/if_usb.c ++++ b/drivers/net/wireless/libertas/if_usb.c +@@ -443,7 +443,7 @@ static int __if_usb_submit_rx_urb(struct + /* Fill the receive configuration URB and initialise the Rx call back */ + usb_fill_bulk_urb(cardp->rx_urb, cardp->udev, + usb_rcvbulkpipe(cardp->udev, cardp->ep_in), +- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET), ++ skb->data + IPFIELD_ALIGN_OFFSET, + MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, + cardp); + diff --git a/queue-2.6.27/mbind-fix-leak-of-never-putback-pages.patch b/queue-2.6.27/mbind-fix-leak-of-never-putback-pages.patch new file mode 100644 index 00000000000..e14e130939e --- /dev/null +++ b/queue-2.6.27/mbind-fix-leak-of-never-putback-pages.patch @@ -0,0 +1,105 @@ +From ab8a3e14e6f8e567560f664bbd29aefb306a274e Mon Sep 17 00:00:00 2001 +From: KOSAKI Motohiro +Date: Mon, 26 Oct 2009 16:49:58 -0700 +Subject: mbind(): fix leak of never putback pages + +From: KOSAKI Motohiro + +commit ab8a3e14e6f8e567560f664bbd29aefb306a274e upstream. + +If mbind() receives an invalid address, do_mbind leaks a page. The +following test program detects this leak. + +This patch fixes it. + +migrate_efault.c +======================================= + #include + #include + #include + #include + #include + #include + #include + +static unsigned long pagesize; + +static void* make_hole_mapping(void) +{ + + void* addr; + + addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE, + MAP_ANON|MAP_PRIVATE, 0, 0); + if (addr == MAP_FAILED) + return NULL; + + /* make page populate */ + memset(addr, 0, pagesize*3); + + /* make memory hole */ + munmap(addr+pagesize, pagesize); + + return addr; +} + +int main(int argc, char** argv) +{ + void* addr; + int ch; + int node; + struct bitmask *nmask = numa_allocate_nodemask(); + int err; + int node_set = 0; + + while ((ch = getopt(argc, argv, "n:")) != -1){ + switch (ch){ + case 'n': + node = strtol(optarg, NULL, 0); + numa_bitmask_setbit(nmask, node); + node_set = 1; + break; + default: + ; + } + } + argc -= optind; + argv += optind; + + if (!node_set) + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + addr = make_hole_mapping(); + + err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL); + if (err) + perror("mbind "); + + return 0; +} +======================================= + +Signed-off-by: KOSAKI Motohiro +Acked-by: Christoph Lameter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -985,7 +985,8 @@ static long do_mbind(unsigned long start + + if (!err && nr_failed && (flags & MPOL_MF_STRICT)) + err = -EIO; +- } ++ } else ++ putback_lru_pages(&pagelist); + + up_write(&mm->mmap_sem); + mpol_put(new); diff --git a/queue-2.6.27/ray_cs-fix-copy_from_user-handling.patch b/queue-2.6.27/ray_cs-fix-copy_from_user-handling.patch new file mode 100644 index 00000000000..8333009a794 --- /dev/null +++ b/queue-2.6.27/ray_cs-fix-copy_from_user-handling.patch @@ -0,0 +1,30 @@ +From 575c9ed7798218dc923f319c0d78f0c25ca506b9 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 27 Oct 2009 15:35:55 +0000 +Subject: ray_cs: Fix copy_from_user handling + +From: Alan Cox + +commit 575c9ed7798218dc923f319c0d78f0c25ca506b9 upstream. + +I've not touched the other stuff here but the word "locking" comes to mind. + +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ray_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -2758,7 +2758,7 @@ static void raycs_write(const char *name + static int write_essid(struct file *file, const char __user *buffer, unsigned long count, void *data) + { + static char proc_essid[33]; +- int len = count; ++ unsigned int len = count; + + if (len > 32) + len = 32; diff --git a/queue-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch b/queue-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch new file mode 100644 index 00000000000..fc1020bcbfb --- /dev/null +++ b/queue-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch @@ -0,0 +1,49 @@ +From f61f925859c57f6175082aeeee17743c68558a6e Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sat, 5 Sep 2009 13:33:23 -0400 +Subject: Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" + +From: Len Brown + +commit f61f925859c57f6175082aeeee17743c68558a6e upstream. + +This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af. + +http://bugzilla.kernel.org/show_bug.cgi?id=13002 + +Signed-off-by: Len Brown +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/scan.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1262,16 +1262,6 @@ acpi_add_single_object(struct acpi_devic + acpi_device_set_id(device, parent, handle, type); + + /* +- * The ACPI device is attached to acpi handle before getting +- * the power/wakeup/peformance flags. Otherwise OS can't get +- * the corresponding ACPI device by the acpi handle in the course +- * of getting the power/wakeup/performance flags. +- */ +- result = acpi_device_set_context(device, type); +- if (result) +- goto end; +- +- /* + * Power Management + * ---------------- + */ +@@ -1301,6 +1291,8 @@ acpi_add_single_object(struct acpi_devic + goto end; + } + ++ if ((result = acpi_device_set_context(device, type))) ++ goto end; + + result = acpi_device_register(device, parent); + diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..8754b3d1eef --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,15 @@ +8250_pci-add-ibm-saturn-serial-card.patch +b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch +dpt_i2o-fix-up-copy-user.patch +dpt_i2o-fix-typo-of-einval.patch +driver-core-fix-driver_register-return-value.patch +fs-pipe.c-null-pointer-dereference.patch +hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch +input-synaptics-add-another-protege-m300-to-rate-blacklist.patch +libata-fix-internal-command-failure-handling.patch +libertas-if_usb-fix-crash-on-64-bit-machines.patch +mbind-fix-leak-of-never-putback-pages.patch +ray_cs-fix-copy_from_user-handling.patch +revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch +tty-mark-generic_serial-users-as-broken.patch +x86-64-fix-register-leak-in-32-bit-syscall-audting.patch diff --git a/queue-2.6.27/tty-mark-generic_serial-users-as-broken.patch b/queue-2.6.27/tty-mark-generic_serial-users-as-broken.patch new file mode 100644 index 00000000000..fda87d4ddff --- /dev/null +++ b/queue-2.6.27/tty-mark-generic_serial-users-as-broken.patch @@ -0,0 +1,77 @@ +From 412145947adfca60a4b5b4893fbae82dffa25edd Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Thu, 29 Oct 2009 12:16:22 +0000 +Subject: tty: Mark generic_serial users as BROKEN + +From: Alan Cox + +commit 412145947adfca60a4b5b4893fbae82dffa25edd upstream. + +There isn't much else I can do with these. I can find no hardware for any +of them and no users. The code is broken. + +Signed-off-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m68k/Kconfig | 6 +++--- + drivers/char/Kconfig | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/m68k/Kconfig ++++ b/arch/m68k/Kconfig +@@ -572,7 +572,7 @@ config HPAPCI + + config MVME147_SCC + bool "SCC support for MVME147 serial ports" +- depends on MVME147 ++ depends on MVME147 && BROKEN + help + This is the driver for the serial ports on the Motorola MVME147 + boards. Everyone using one of these boards should say Y here. +@@ -587,14 +587,14 @@ config SERIAL167 + + config MVME162_SCC + bool "SCC support for MVME162 serial ports" +- depends on MVME16x ++ depends on MVME16x && BROKEN + help + This is the driver for the serial ports on the Motorola MVME162 and + 172 boards. Everyone using one of these boards should say Y here. + + config BVME6000_SCC + bool "SCC support for BVME6000 serial ports" +- depends on BVME6000 ++ depends on BVME6000 && BROKEN + help + This is the driver for the serial ports on the BVME4000 and BVME6000 + boards from BVM Ltd. Everyone using one of these boards should say +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -310,7 +310,7 @@ config SPECIALIX + + config SX + tristate "Specialix SX (and SI) card support" +- depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) ++ depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) && BROKEN + help + This is a driver for the SX and SI multiport serial cards. + Please read the file for details. +@@ -321,7 +321,7 @@ config SX + + config RIO + tristate "Specialix RIO system support" +- depends on SERIAL_NONSTANDARD ++ depends on SERIAL_NONSTANDARD && BROKEN + help + This is a driver for the Specialix RIO, a smart serial card which + drives an outboard box that can support up to 128 ports. Product +@@ -382,7 +382,7 @@ config NOZOMI + + config A2232 + tristate "Commodore A2232 serial support (EXPERIMENTAL)" +- depends on EXPERIMENTAL && ZORRO && BROKEN_ON_SMP ++ depends on EXPERIMENTAL && ZORRO && BROKEN + ---help--- + This option supports the 2232 7-port serial card shipped with the + Amiga 2000 and other Zorro-bus machines, dating from 1989. At diff --git a/queue-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch b/queue-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch new file mode 100644 index 00000000000..6e24fdc78bf --- /dev/null +++ b/queue-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch @@ -0,0 +1,54 @@ +From 81766741fe1eee3884219e8daaf03f466f2ed52f Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 26 Oct 2009 15:20:29 +0000 +Subject: x86-64: Fix register leak in 32-bit syscall audting + +From: Jan Beulich + +commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream. + +Restoring %ebp after the call to audit_syscall_exit() is not +only unnecessary (because the register didn't get clobbered), +but in the sysenter case wasn't even doing the right thing: It +loaded %ebp from a location below the top of stack (RBP < +ARGOFFSET), i.e. arbitrary kernel data got passed back to user +mode in the register. + +Signed-off-by: Jan Beulich +Acked-by: Roland McGrath +LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -204,7 +204,7 @@ sysexit_from_sys_call: + movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */ + .endm + +- .macro auditsys_exit exit,ebpsave=RBP ++ .macro auditsys_exit exit + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) + jnz ia32_ret_from_sys_call + TRACE_IRQS_ON +@@ -217,7 +217,6 @@ sysexit_from_sys_call: + call audit_syscall_exit + GET_THREAD_INFO(%r10) + movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */ +- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */ + movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi + cli + TRACE_IRQS_OFF +@@ -351,7 +350,7 @@ cstar_auditsys: + jmp cstar_dispatch + + sysretl_audit: +- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */ ++ auditsys_exit sysretl_from_sys_call + #endif + + cstar_tracesys: